WO2010048874A1 - Method, device and system for identifying ip session - Google Patents

Method, device and system for identifying ip session Download PDF

Info

Publication number
WO2010048874A1
WO2010048874A1 PCT/CN2009/074628 CN2009074628W WO2010048874A1 WO 2010048874 A1 WO2010048874 A1 WO 2010048874A1 CN 2009074628 W CN2009074628 W CN 2009074628W WO 2010048874 A1 WO2010048874 A1 WO 2010048874A1
Authority
WO
WIPO (PCT)
Prior art keywords
session
identifier
address
session identifier
user equipment
Prior art date
Application number
PCT/CN2009/074628
Other languages
French (fr)
Chinese (zh)
Inventor
郑若滨
Original Assignee
华为技术有限公司
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by 华为技术有限公司 filed Critical 华为技术有限公司
Priority to EP09823066.7A priority Critical patent/EP2346217B1/en
Publication of WO2010048874A1 publication Critical patent/WO2010048874A1/en
Priority to US13/097,369 priority patent/US20110202670A1/en

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/08Network architectures or network communication protocols for network security for authentication of entities
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L47/00Traffic control in data switching networks
    • H04L47/10Flow control; Congestion control
    • H04L47/24Traffic characterised by specific attributes, e.g. priority or QoS
    • H04L47/2483Traffic characterised by specific attributes, e.g. priority or QoS involving identification of individual flows
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/09Mapping addresses
    • H04L61/10Mapping addresses of different types
    • H04L61/103Mapping addresses of different types across network layers, e.g. resolution of network layer into physical layer addresses or address resolution protocol [ARP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L61/00Network arrangements, protocols or services for addressing or naming
    • H04L61/50Address allocation
    • H04L61/5007Internet protocol [IP] addresses
    • H04L61/5014Internet protocol [IP] addresses using dynamic host configuration protocol [DHCP] or bootstrap protocol [BOOTP]
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/16Implementing security features at a particular protocol layer
    • H04L63/164Implementing security features at a particular protocol layer at the network layer
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/14Session management
    • H04L67/146Markers for unambiguous identification of a particular session, e.g. session cookie or URL-encoding
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/622Layer-2 addresses, e.g. medium access control [MAC] addresses
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L2101/00Indexing scheme associated with group H04L61/00
    • H04L2101/60Types of network addresses
    • H04L2101/618Details of network addresses
    • H04L2101/659Internet protocol version 6 [IPv6] addresses

Definitions

  • IP session identification method device and system
  • the present invention relates to the field of communications technologies, and in particular, to an IP session identification method, apparatus, and system. Background technique
  • an Internet Protocol (IP) session represents a network access connection session associated with the IP address of a Subscriber/user device, an IP Session and a point-to-point link layer.
  • IP Internet Protocol
  • a Point-to-Point Protocol Session (PPP Session) is a peer.
  • a Subscriber Session is a general term for an IP Session and a PPP Session.
  • the PPP Session uses a unique PPP survival detection mechanism.
  • the version 4 IP protocol (IP vision 4, IPv4) session uses the unique Bidirectional Forwarding Detection (BFD)/Address Resolution Protocol (ARP) to survive. Detection mechanism.
  • BFD Bidirectional Forwarding Detection
  • ARP Address Resolution Protocol
  • the IP Session is usually terminated on an IP Edge device, such as a Broadband Network Gateway (BNG)/Broadband Remote Access Server (BRAS).
  • BNG Broadband Network Gateway
  • BRAS Broadband Remote Access Server
  • the other side of the IP Session is usually in the user.
  • the device is terminated, for example, by a home gateway (HGW) or a user equipment (UE) after the HGW, that is, the IP session is a session connection established between the user equipment and the IP edge device.
  • HGW home gateway
  • UE user equipment
  • the IP session is used by the network to manage the user access network, such as billing and status.
  • the inventor has found that the prior art has at least the following problems:
  • the data communication process of the prior art IP Session has no coupling relationship with the authentication process/IP address allocation process, and is easy to appear although the authentication is passed, but in the IP Session.
  • the attacker may still spoof the identity of the attacker by forging an IP address or a MAC address, and there is a big security risk. Summary of the invention
  • An embodiment of the present invention provides an IP session identification method, apparatus, and system, which implements filtering of an IP session by checking whether an IP session identifier generated according to a preset rule is added in an IP session, thereby enabling an IP session to be in a data communication process. Establish a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • an embodiment of the present invention provides an IP session identification method, which includes the following steps:
  • the received IP session packet is filtered according to the IP session identifier.
  • an embodiment of the present invention further provides a network gateway, including:
  • a generating module configured to generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule;
  • the processing module is configured to filter, according to the IP session identifier, the received IP session packet.
  • an embodiment of the present invention further provides an IP session processing system, including a user equipment and a network gateway:
  • the user equipment is configured to receive an IP session identifier generation rule sent by the network gateway, generate a corresponding IP session identifier according to the IP session identifier generation rule, and send an IP session packet to the network gateway;
  • the network gateway is configured to set the IP session identifier generation rule, and send the IP session identifier generation rule to the user equipment, according to the IP session identifier generation rule in an authentication process and/or an IP address allocation process. Generating an IP session identifier for the IP session, and filtering the IP session according to the IP session identifier.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • FIG. 1 is a schematic flowchart of an IP session identification method according to Embodiment 1 of the present invention
  • FIG. 2 is a schematic flowchart of an IP session identification method according to Embodiment 1 of the present invention
  • FIG. 4 is a schematic flowchart of a method for identifying an IP session in a dynamic IPv6 session according to Embodiment 3 of the present invention
  • FIG. 5 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 4 of the present invention.
  • FIG. 6 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 5 of the present invention.
  • FIG. 7 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 6 of the present invention
  • FIG. 8 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 7 of the present invention
  • FIG. 9 is a schematic flowchart of an IP session identification method in a static IPv6 session according to Embodiment 8 of the present invention. detailed description
  • the embodiment of the invention provides an IP session identification method, device and system.
  • the specific content of the technical solution is: setting an IPv6 Session Identity (ID) field in an IPv6 Flow Label, or setting an IPv6 Session ID field (for example, an IPv6 address prefix) in an IPv6 address, IPv6
  • IPv6 IPv6
  • the Session ID is generated according to the rules agreed by the Subscriber and the operator to implement the coupling between the IPv6 Session and the authentication process/IP address allocation process.
  • the IPv6 session ID remains unchanged during the lifetime of the IP session.
  • the BNG filters the IPv6 session ID of the received packets to prevent the attacker from spoofing IP addresses or MAC addresses. This ensures the security of shared media access.
  • FIG. 1 is a schematic flowchart diagram of an IP session identification method according to Embodiment 1 of the present invention, where the method includes the following steps:
  • Step S101 The network gateway generates an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule.
  • IPv6 Session IPv6 Session
  • IPv6 Session IPv6 Session
  • other sessions that meet the requirements of the implementation scenario of the embodiment of the present invention also belong to the protection of the present invention. Scope, this point applies in the full text, and will not be heavy in the following Re-emphasis.
  • IPv6 Session is divided into dynamic IPv6 Session and static IPv6 Session.
  • Dynamic IPv6 sessions can be dynamically created and terminated. Static IPv6 sessions can only be statically configured.
  • the technical solution of the embodiment of the present invention is to set an IPv6 Session ID field in an IPv6 Flow label or an IPv6 Session ID field (for example, an IPv6 address prefix) in an IPv6 address.
  • an IP session identifier can be generated for the IP session during the authentication process and the IP address allocation process, specifically: the authentication session ID and the dynamic host allocation protocol execution identifier (Dynamic Host Configuration Protocol Transaction ID, DHCP Transaction ID, xid
  • the IPv6 session ID field of the IPv6 Flow label is generated according to the agreed rules, and the IPv6 session ID is generated.
  • the IP session identifier can be generated for the IP session during the authentication process or IP address allocation process, specifically: Subsriber
  • the IPv6 address prefix of the Prefix Delegation (PD) or the Stateless Address Auto Configuration (SLAAC) is then used as the IPv6 session ID.
  • the IPv6 address prefix of the Subsriber is bound to the IPv6 session. set.
  • an IPv6 session ID can be generated according to the agreed rules according to the IPv6 address/IPv6 address prefix.
  • the IP edge node can authorize the IPv6 session according to the IPv6 session ID.
  • the authorization of the IPv6 session usually uses authentication, authorization, and accounting (AAA).
  • AAA authentication, authorization, and accounting
  • the protocol is implemented.
  • the IPv6 session ID (for example, an IPv6 address prefix) can be carried in the AAA message of the IPv6 session.
  • the IPv6 session ID is generated.
  • the dynamic IPv6 session can be dynamically configured to the user device before the IPv6 session is established. After the authentication/IP address is successfully assigned, the device can be dynamically configured to the user device through the authentication protocol/DHCP.
  • IPv6 Session ID generation The rule may be statically configured, that is, before step S101, the following two cases are also included: When the IP session is a dynamic IP session, an IP session identifier generation rule is set in the network gateway, and an authentication confirmation message or an address assignment is sent to the user equipment. In response to the message, setting an IP session identifier generation rule in the user equipment;
  • the IP session identifier generation rule is set on the network gateway and the user equipment.
  • step S101 is also divided into two cases:
  • the rule is generated according to the preset IP session identifier, and the prefix is assigned according to the address assignment or notified by the router.
  • the IP session address prefix obtained by ( router advertisement, RA ), or the authentication identifier in the authentication confirmation message, or the execution identifier in the address allocation response message, generates IP for the IP session during the authentication process and/or IP address allocation process.
  • Session ID When an IP session is a static IP session, an IP session is generated for the IP session in the IP address allocation process according to the preset IP session ID generation rule and the IP session address or IP session address prefix preset in the user equipment. logo.
  • IP session identifier is generated according to the execution identifier in the address allocation response message, the following steps are also included:
  • the IP session identification rule is generated according to the preset IP session identifier, and the updated IP session identifier is generated for the IP session according to the execution identifier in the updated address allocation response message.
  • the IPv6 session ID does not change during the IP session lifetime.
  • the IPv6 session is marked by the IPv6 Session ID.
  • Step S102 Filter the received IP session packet according to the IP session identifier.
  • the foregoing method further includes:
  • the IP session ID is released.
  • Step S201 The network gateway generates an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule.
  • step S101 This step is the same as the specific description of step S101, and the description is not repeated in this embodiment.
  • Step S202 The network gateway determines whether the IP session identifier and the MAC address of the user equipment or the access port meet the preset binding relationship table.
  • the network gateway determines whether the MAC address of the user equipment or the correspondence between the access port and the IP session identifier is consistent with the information in the preset binding relationship table, and determines whether the received IP session packet is From the preset MAC address or access port, that is, whether the IP session is an IP session that meets the authentication requirement initiated by the authenticated port.
  • the binding relationship table is specifically a binding relationship between the IP session identifier generated by the user equipment and the user equipment MAC address or the access port.
  • the access port may be an access physical port (such as a digital subscriber line port or a passive optical network physical interface), or an access logical port (such as a virtual local area network port or a Gigabit passive optical network encapsulation mode port).
  • an access physical port such as a digital subscriber line port or a passive optical network physical interface
  • an access logical port such as a virtual local area network port or a Gigabit passive optical network encapsulation mode port.
  • step S203 When the network gateway determines that the IP session identifier and the MAC address or the access port of the user equipment meet the preset binding relationship table, the process proceeds to step S203;
  • Step S203 The network gateway allows 4 passages to pass;
  • the user equipment that sends the packet is the authenticated user equipment.
  • the packet is secure and allows the packet to pass.
  • Step S204 The network gateway discards the text.
  • the user equipment that sends the packet is not the user equipment that has passed the authentication.
  • the packet is discarded because the security of the packet is unknown.
  • the foregoing method further includes: When the IP session is terminated, the IP session ID is released.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • FIG. 3 is a schematic structural diagram of an IP session processing system according to Embodiment 2 of the present invention. Shown, including user equipment 1 and network gateway 2:
  • the user equipment 1 is configured to receive an IP session identifier generation rule sent by the network gateway 2, generate a corresponding IP session identifier according to the IP session identifier generation rule, and send an IP session message to the network gateway 2; further, the user equipment 1 further uses Set the IP session address or IP session address prefix to provide the basis for generating the IP session identifier.
  • the network gateway 2 is configured to set an IP session identifier generation rule, and send an IP session identifier generation rule to the user equipment 1, and generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the IP session identifier generation rule.
  • the IP session is filtered according to the IP session identifier.
  • the network gateway 2 specifically includes:
  • the setting module 21 is configured to set an IP session identifier generation rule and a binding relationship table in the network gateway 2; the sending module 22 is configured to send the IP session identifier generation rule set by the setting module 21 to the user equipment 1 to enable the user equipment 1 Set the IP session ID generation rule.
  • the generating module 23 is configured to generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the IP session identifier generation rule preset by the setting module 21, where the module specifically includes: an obtaining submodule 231, configured to: Obtain an IP session address prefix by using an address assignment prefix or by using a router advertisement, or obtain an authentication identifier in an authentication confirmation message, or obtain an execution identifier in an address allocation response message, or obtain an IP session address preset in the user equipment 1 or IP session address prefix;
  • the generating sub-module 232 is configured to: according to the IP session address prefix acquired by the obtaining sub-module 231, or an authentication identifier, or an execution identifier, or an IP session address or an IP session address prefix preset in the user equipment 1, according to the setting module 21 Pre-set IP session ID generation rules to generate IP session IDs for IP sessions;
  • the update sub-module 233 is configured to allocate an execution identifier in the response message according to the updated IP address obtained by the obtaining sub-module 231 according to the IP session identifier generation rule preset by the setting module 21 when the IP address allocation result of the IP session is updated. Generate an updated IP session ID for the IP session.
  • the processing module 24 is configured to filter the received IP session packet according to the IP session identifier.
  • Processing module 24 can include:
  • the determining sub-module 241 is configured to determine whether the IP session identifier and the MAC address or the access end of the user equipment 1 meet the binding relationship table set by the setting module 21;
  • the filtering sub-module 242 is configured to allow the packet to pass if the determining that the IP session identifier and the MAC address or the access end of the user equipment 1 meet the preset binding relationship table; and if the determining sub-module 241 determines the IP session When the MAC address of the user equipment 1 or the access terminal does not match the preset binding relationship table, the packet is discarded.
  • the release module 25 is configured to release the IP session identifier generated by the generating module 23 when the IP session is terminated.
  • the above modules may be distributed in one device or distributed in multiple devices.
  • the above modules can be combined into one module, or further split into multiple sub-modules.
  • the technical solution of the embodiment of the present invention has the following advantages, because the system for filtering the IP session is implemented by checking whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention proposes an IP session identification method in a dynamic IPv6 session by using the third embodiment, which performs IP in the authentication phase.
  • the creation of the session identifier includes the following steps:
  • Step S401 The subscriber (Subscriber) device performs an Extensible Authentication Protocol (EAP) authentication through the BNG to the authentication server.
  • EAP Extensible Authentication Protocol
  • the BNG is the network gateway mentioned in the foregoing embodiment of the present invention.
  • the user equipment is a subscriber in a specific application environment, and may be specifically an access user terminal or a network connected to multiple terminals.
  • the access device such as the home gateway, is also consistent in the following embodiments, and will not be repeatedly described later. The change of the specific name does not affect the protection scope of the present invention.
  • Step S402 When the EAP authentication of the user equipment is successful, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured in the user equipment corresponding to the user.
  • Step S403 After the EAP authentication of the user equipment is successful, the user equipment starts a DHCP prefix delegation (Prefix Delegation, hereinafter referred to as PD), and generates a DHCP Transaction ID (referred to as xid), and the user equipment can press a certain EAP Identifier according to the EAP Success message.
  • the rule generates xid. If the protocol for carrying Authentication for Network Access (PANA) is used, the xad can be generated according to the PANA Session ID according to a certain rule;
  • PANA Authentication for Network Access
  • Step S404 The user equipment applies for an IPv6 address prefix through the DHCP PD, and the xid of all DHCP messages remains unchanged during the IPv6 address prefix delegation process.
  • the xid is equivalent to the IP Session ID, which is consistent in the lifetime of the same IP session. If the IPv6 address prefix is re-authenticated to the user equipment. Renumbering means that an old IP Session is updated to a new IP Session, and xid will also change with the new IP Session.
  • Step S405 When the IPv6 address prefix is successfully delegated, the DHCP server sends the IPv6 address prefix to the user equipment by using a DHCP Reply message.
  • Step S406 The BNG and the user equipment may use the IPv6 address prefix delegated by the DHCP Reply message as the IPv6 Session ID.
  • IPv6 address prefix is bound to the IPv6 session.
  • IPv6 session ID can be bound to the MAC address of the user equipment or the access port to form a binding relationship table.
  • IPv6 address prefix is reassigned to the Subscriber, it is considered that an old IP Session is updated to a new IP Session, and the IP Session ID will also be reassigned by the new IPv6 address prefix by the new DHCP Reply. The message is triggered.
  • Step S407 The BNG filters the IPv6 Session ID of the received IPv6 packet.
  • the BNG filters the packets of the IP session according to the preset IPv6 session ID and the MAC address of the user device or the access port.
  • the BNG checks the preset binding relationship table to determine the packets of the received IP session. Whether it comes from a preset MAC address or access port.
  • the network gateway determines that the packet of the received IP session is from a preset MAC address or an access port, it determines that the user equipment that sends the packet is the authenticated user equipment, and the BNG allows the packet sent by the user equipment to pass the packet. .
  • the BNG discards the packet.
  • the user equipment that sends the packet is not the user equipment that has passed the authentication, and the BNG directly discards the packet. It should be further noted that, in the following embodiments, the process of filtering the IPv6 Session ID of the received IPv6 packet by the BNG is consistent with this step, and will not be repeatedly described later.
  • Step S408 Perform data communication by using a data stream carrying an IPv6 Session ID.
  • the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
  • step S409 the data communication state survival monitoring is performed by using a keep alive of the IPv6 session ID.
  • the IPv6 Session IDs generated by the IPv6 Session ID generation rules are determined by the IPv6 Session ID generation rule.
  • step S408 and step S409 there is no necessary time-order relationship in the specific implementation environment, and the change of the two-step sequence does not affect the protection scope of the present invention.
  • Step S410 The IPv6 address prefix is released or renumbered.
  • IPv6 address prefix When the IPv6 address prefix is released or re-allocated, it is considered that an old IP session is updated to a new IP session, that is, the current IPv6 session is terminated.
  • Step S411 The IPv6 Session ID is released.
  • the technical solution of the embodiment of the present invention has the following advantages, because the IP session is generated by verifying whether an IP session identifier generated according to a preset rule is added in the IP session, thereby realizing the IP session in the data communication process. Establish a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention proposes another IP session identification method in a dynamic IPv6 session by using the fourth embodiment, which implements the creation of an IP session identifier in the IP address allocation phase.
  • the method flowchart is as shown in FIG. 5, and includes the following steps: Step S501: The user equipment performs EAP authentication by using the BNG to the authentication server.
  • Step S502 When the EAP authentication of the user equipment is successful, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured in the user equipment.
  • Step S503 After the EAP authentication of the user equipment is successful, the user equipment starts SLAAC, and
  • the BNG issues a Router Solicitation (RS) message
  • Step S504 After receiving the RS message, the BNG sends a Router Advertisement (RA) message to the user equipment.
  • RA Router Advertisement
  • the source address of the RA message is the IPv6 address of the BNG, and the RA message contains the IPv6 address prefix.
  • Step S505 The BNG and the user equipment may use the IPv6 address prefix carried by the RA message as IPv6 Session ID;
  • the IPv6 address prefix is bound to the IPv6 session.
  • the IPv6 session ID can be bound to the user equipment MAC address or the access port to form a binding relationship table.
  • IPv6 address prefix is reassigned to the Subscriber, it is considered that an old IP Session is updated to a new IP Session, and the IP Session ID will also be reassigned by the new IPv6 address prefix by the new RA message. Trigger generation.
  • Step S506 The BNG filters the IPv6 session ID of the received IPv6 packet.
  • Step S507 Perform data communication by using the data stream carrying the IPv6 session ID.
  • the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
  • Step S508 Perform data communication state survival monitoring by using a keep alive of the IPv6 session ID.
  • the IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
  • step S507 and step S508 there is no inevitable chronological relationship in the specific implementation environment, and the change of the two step sequences does not affect the protection scope of the present invention.
  • Step S509 The IPv6 address prefix is released or re-allocated (renumbering);
  • IPv6 address prefix When the IPv6 address prefix is released or re-allocated, it is considered that an old IP session is updated to a new IP session, that is, the current IPv6 session is terminated.
  • Step S510 The IPv6 Session ID is released.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention is provided by the fifth embodiment.
  • An IP session identification method in another dynamic IPv6 session is provided.
  • the method creates an IP session identifier in the IP address allocation phase.
  • the flowchart of the specific method is as shown in FIG. 6, and includes the following steps: Step S601: The user equipment passes the BNG. Go to the authentication server for EAP authentication;
  • Step S602 When the user equipment EAP authentication succeeds, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured in the user equipment.
  • Step S603 the BNG, and the user equipment generate rules according to the IPv6 session ID. Generate an IPv6 Session ID for the BNG and the user equipment.
  • the BNG and the user equipment can generate an IPv6 Session ID according to the EAP Identifier of the EAP Success message according to a certain rule. If PANA is used, the IPv6 Session ID can be generated according to a certain rule according to the PANA Session ID.
  • Step S604 The BNG filters the IPv6 session ID of the received IPv6 packet.
  • Step S605 The user equipment applies for an IPv6 address by using a stateless or stateful address allocation method. In the IPv6 address allocation process, all uplink messages are carried according to IPv6 Session ID generated by the IPv6 Session ID generation rule after the authentication succeeds.
  • Step S606 Perform data communication by using a data stream carrying an IPv6 Session ID.
  • the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
  • Step S607 Perform data communication state survival monitoring by using a keep alive of the IPv6 session ID.
  • the IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
  • step S606 and step S607 there is no necessary time-order relationship in the specific implementation environment, and the change of the two-step sequence does not affect the protection scope of the present invention.
  • Step S608 the IPv6 address is released
  • Step S609 the IPv6 session is terminated, and the IPv6 session ID is released.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention proposes another IP session identification method in a dynamic IPv6 session by using the sixth embodiment.
  • the method creates an IP session identifier in the IP address allocation phase, specifically
  • the method flowchart is as shown in FIG. 7, and includes the following steps: Step S701: The user equipment performs EAP authentication by using the BNG to the authentication server.
  • Step S702 When the EAP authentication of the user equipment is successful, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured.
  • Step S703 After the user equipment EAP is successfully authenticated, the user equipment initiates a stateful address allocation, and generates a DHCP Transaction ID (xid for short); the user equipment may generate a xid according to a certain rule according to the EAP Identifier of the EAP Success message; if PANA is used, It is also possible to generate xid according to a certain rule according to the PANA Session ID;
  • Step S704 The user equipment applies for an IPv6 address by using a stateful address allocation manner, and the xid of all DHCP messages remains unchanged during the IPv6 address allocation process.
  • xid is equivalent to the IP Session ID, and it is recommended to be consistent in the lifetime of the same IP Session; if the DHCP process passes the reconfigure message If the IP address is replaced, it is considered that an old IP session is updated to a new IP session, and xid will also change with the new IP session.
  • Step S705 When the IPv6 address is successfully applied, the DHCP server sends an IPv6 address to the user equipment by using a DHCP Reply message.
  • Step S706 The BNG and the user equipment may generate an IPv6 Session ID according to a DHCP Traaction ID of the DHCP Reply message according to a certain rule. It should be further pointed out that if the DHCP process replaces the IP address through the reconfigure/renew message, it is considered that the old IP Session is updated to the new IP Session, and the IP Session ID will also be re-allocated with the new IP address by the new IP address. A DHCP Reply message is triggered.
  • Step S707 The BNG filters the IPv6 session ID of the received IPv6 packet.
  • Step S708 Perform data communication by using the data stream carrying the IPv6 session ID.
  • the IPv6 data packet carries the IPv6 Session ID generated according to the IPv6 Session ID generation rule determined after the authentication succeeds.
  • Step S709 Perform data communication state survival monitoring by using a survival monitoring packet carrying an IPv6 session ID.
  • the IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
  • step S708 and step S709 there is no necessary time-order relationship in the specific implementation environment, and the change of the two-step sequence does not affect the protection scope of the present invention.
  • Step S710 The IPv6 address is released.
  • Step S711 The IPv6 session is terminated and the IPv6 session ID is released.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention proposes another IP session identification method in a dynamic IPv6 session by using the seventh embodiment.
  • the IP address allocation phase and the authentication phase are merged.
  • the method performs the creation of the IP session identifier at this stage.
  • the flowchart of the specific method is shown in FIG. 8, and includes the following steps:
  • Step S801 the user equipment generates a DHCP Transaction ID (referred to as xid);
  • Step S802 The user equipment passes the DHCP authentication to implement user equipment authentication and a stateful address. Allocation, during the DHCP authentication process, the xid of all DHCP messages remains unchanged; it needs to be further pointed out that due to the lack of PPP before the DHCP address allocation process
  • the session ID negotiation process so xid is equivalent to the IP session ID. It is recommended to be consistent in the lifetime of the same IP session. If the DHCP process replaces the IP address through the reconfigure/renew message, it is considered to be updated by an old IP session. IP Session, xid will also follow the new
  • the IP Session is changed.
  • Step S803 When the DHCP authentication succeeds, the BNG sends the IPv6 address to the user equipment by using the DHCP Reply message to notify the user that the device is successfully authenticated, and configures an IPv6 session ID generation rule.
  • the IP address is considered to be updated by a new IP session to a new IP session.
  • the IP session ID will also be triggered by a new DHCP Reply message as the new IP address is reassigned.
  • Step S804 The BNG and the user equipment may generate an IPv6 Session ID according to the DHCP Transaction ID of the DHCP Reply message according to the IPv6 Session ID generation rule determined after the authentication succeeds.
  • the IP address is considered to be updated by a new IP session to a new IP session.
  • the IP session ID will also be triggered by a new DHCP Reply message as the new IP address is reassigned.
  • Step S805 The BNG filters the IPv6 Session ID of the received IPv6 packet.
  • Step S806 Perform data communication by using the data stream carrying the IPv6 Session ID.
  • IPv6 data packets carry IPv6 determined according to the successful authentication.
  • IPv6 Session ID generated by the session ID generation rule.
  • Step S807 Performing data communication state survival monitoring by using a surviving monitoring packet carrying an IPv6 session ID
  • IPv6 Session IDs generated by the IPv6 Session ID generation rules are determined by the IPv6 Session ID generation rule. It should be noted that, in step S806 and step S807, there is no necessary time-order relationship in the specific implementation environment, and the change of the two step sequences does not affect the protection scope of the present invention.
  • Step S808 The IPv6 address is released.
  • Step S809 The IPv6 session is terminated, and the IPv6 session ID is released.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention proposes an IP session identification method in a static IPv6 session by using the eighth embodiment.
  • this method since it is a static IPv6 session, there is no authentication phase.
  • the method is to create an IP session identifier at this stage.
  • the flowchart of the specific method is as shown in FIG. 9. The method includes the following steps: Step S901: The network statically configures the IPv6 address/address prefix of the user equipment. And an IPv6 Session ID generation rule;
  • Step S902 The BNG and the user equipment generate an IPv6 session ID according to the pre-configured IPv6 session ID generation rule according to the IPv6 address/address prefix of the user equipment.
  • Step S903 The BNG filters the IPv6 session ID of the received IPv6 packet.
  • Step S904 Perform data communication by using the data stream carrying the IPv6 session ID.
  • the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
  • step S905 the data communication state survival monitoring is performed by using a keep alive of the IPv6 session ID.
  • the IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
  • step S904 and step S905 are not necessary in a specific implementation environment.
  • the chronological relationship, the change of the order of the two steps does not affect the scope of protection of the present invention.
  • the technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data.
  • the communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
  • the present invention can be implemented by hardware, or can be implemented by means of software plus necessary general hardware platform, and the technical solution of the present invention. It can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for making a computer device (may It is a personal computer, a server, or a network device, etc.) that performs the methods described in various embodiments of the present invention.
  • a non-volatile storage medium which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.
  • a computer device may It is a personal computer, a server, or a network device, etc.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Computer Security & Cryptography (AREA)
  • Computer Hardware Design (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

A method, a device and a system for identifying IP session are disclosed by the present invention embodiment. The method includes the following steps: according to the preset rules for generating IP session Identity (ID), the IP session ID is generated for the IP session during the authentication process and/or the IP address allocating process; the received IP session message is filtered according to the IP session ID. By performing the technique solution of the present invention, it achieves an effect that the IP session sets up the coupling relationship during the data communication process and the authentication process/the IP address allocating process and the security of the IP session is enhanced.

Description

一种 IP会话标识方法、 装置和系统  IP session identification method, device and system
本申请要求于 2008 年 10 月 31 日提交中国专利局、 申请号为 200810172313.X, 发明名称为"一种 IP会话标识方法、 装置和系统"的中国专 利申请的优先权, 其全部内容通过引用结合在本申请中。 技术领域  This application claims priority to Chinese Patent Application No. 200810172313.X, entitled "IP Session Identification Method, Apparatus and System", filed on October 31, 2008, the entire contents of which are incorporated by reference. Combined in this application. Technical field
本发明涉及通信技术领域, 特别是涉及一种 IP会话标识方法、 装置和系 统。 背景技术  The present invention relates to the field of communications technologies, and in particular, to an IP session identification method, apparatus, and system. Background technique
在接入网中, 互联网协议 ( Internet Protocol , IP )会话 (session )代表 了与一个用户 ( Subscriber/user )设备的 IP地址关联的网络接入连接会话, IP Session与点到点的链路层协议会话 ( Point-to-Point Protocol Session , PPP Session )是对等的, 用户设备会话 (Subscriber Session )是 IP Session和 PPP Session的统称。 PPP Session釆用特有的 PPP存活检测机制,版本 4的 IP协议( IP vision 4 , IPv4 ) 会话釆用特有的双向转发检测 ( Bidirectional Forwarding Detection, BFD ) /地址解析协议( Address Resolution Protocol, ARP )存活检 测机制。  In the access network, an Internet Protocol (IP) session represents a network access connection session associated with the IP address of a Subscriber/user device, an IP Session and a point-to-point link layer. A Point-to-Point Protocol Session (PPP Session) is a peer. A Subscriber Session is a general term for an IP Session and a PPP Session. The PPP Session uses a unique PPP survival detection mechanism. The version 4 IP protocol (IP vision 4, IPv4) session uses the unique Bidirectional Forwarding Detection (BFD)/Address Resolution Protocol (ARP) to survive. Detection mechanism.
IP Session通常在 IP边缘设备(IP Edge device ) , 例如: 宽带网络网关 ( Broadband Network Gateway, BNG ) /宽带接入服务器 ( Broadband Remote Access Server, BRAS )上终结, IP Session的另一侧通常在用户设备, 例如家 庭网关( Home Gateway,以下简称: HGW )或 HGW之后的用户终端设备 ( User Equipment, UE )上终结, 即, IP Session是在用户设备与 IP边缘设备建立的一 条会话连接。  The IP Session is usually terminated on an IP Edge device, such as a Broadband Network Gateway (BNG)/Broadband Remote Access Server (BRAS). The other side of the IP Session is usually in the user. The device is terminated, for example, by a home gateway (HGW) or a user equipment (UE) after the HGW, that is, the IP session is a session connection established between the user equipment and the IP edge device.
IP Session用于网络对用户接入网络的管理, 如计费、 状态等。 在实现本发明的过程中, 发明人发现现有技术至少存在以下问题: 现有技术 IP Session的数据通信过程与认证过程 /IP地址分配过程没有耦合 关系, 容易出现虽然认证通过, 但在 IP Session的数据通信过程中, 攻击者还 是有可能通过伪造 IP地址或 MAC地址假冒被攻击者的身份, 存在较大安全隐 患。 发明内容 The IP session is used by the network to manage the user access network, such as billing and status. In the process of implementing the present invention, the inventor has found that the prior art has at least the following problems: The data communication process of the prior art IP Session has no coupling relationship with the authentication process/IP address allocation process, and is easy to appear although the authentication is passed, but in the IP Session. During the data communication process, the attacker may still spoof the identity of the attacker by forging an IP address or a MAC address, and there is a big security risk. Summary of the invention
本发明实施例提供了一种 IP会话标识方法、装置和系统,通过检验 IP会 话中是否加入按照预设规则生成的 IP会话标识,实现对 IP会话的过滤,从而, 使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合关系,提高 IP会话的安全性。  An embodiment of the present invention provides an IP session identification method, apparatus, and system, which implements filtering of an IP session by checking whether an IP session identifier generated according to a preset rule is added in an IP session, thereby enabling an IP session to be in a data communication process. Establish a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
为达到上述目的, 本发明实施例一方面提出一种 IP会话标识方法, 包括 以下步骤:  To achieve the above objective, an embodiment of the present invention provides an IP session identification method, which includes the following steps:
根据预设的 IP会话标识生成规则, 在认证过程和 /或 IP地址分配过程中 为 IP会话生成 IP会话标识;  Generating an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule;
根据所述 IP会话标识对接收到的 IP会话报文进行过滤。  The received IP session packet is filtered according to the IP session identifier.
另一方面, 本发明实施例还提出一种网络网关, 包括:  On the other hand, an embodiment of the present invention further provides a network gateway, including:
生成模块, 用于根据预设的 IP会话标识生成规则, 在认证过程和 /或 IP 地址分配过程中为 IP会话生成 IP会话标识;  a generating module, configured to generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule;
处理模块, 用于根据所述 IP会话标识对接收到的 IP会话报文进行过滤。 另一方面, 本发明实施例还提出一种 IP会话处理系统, 包括用户设备和 网络网关:  The processing module is configured to filter, according to the IP session identifier, the received IP session packet. On the other hand, an embodiment of the present invention further provides an IP session processing system, including a user equipment and a network gateway:
所述用户设备, 用于接收所述网络网关发送的 IP会话标识生成规则, 按 照所述 IP会话标识生成规则生成相应的 IP会话标识,并向所述网络网关发送 IP会话报文; 所述网络网关, 用于设置所述 IP会话标识生成规则,将所述 IP会话标识 生成规则发送给所述用户设备,按照所述 IP会话标识生成规则在认证过程和 / 或 IP地址分配过程中为 IP会话生成 IP会话标识, 并根据所述 IP会话标识对 所述 IP会话进行过滤。 The user equipment is configured to receive an IP session identifier generation rule sent by the network gateway, generate a corresponding IP session identifier according to the IP session identifier generation rule, and send an IP session packet to the network gateway; The network gateway is configured to set the IP session identifier generation rule, and send the IP session identifier generation rule to the user equipment, according to the IP session identifier generation rule in an authentication process and/or an IP address allocation process. Generating an IP session identifier for the IP session, and filtering the IP session according to the IP session identifier.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。 附图说明  The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session. DRAWINGS
为了更清楚地说明本发明实施例的技术方案, 下面将对实施例描述中所 需要使用的附图作简单地介绍, 显而易见地, 下面描述中的附图仅仅是本发 明的一些实施例, 对于本领域普通技术人员来讲, 在不付出创造性劳动的前 提下, 还可以根据这些附图获得其他的附图。  In order to more clearly illustrate the technical solutions of the embodiments of the present invention, the drawings used in the description of the embodiments will be briefly described below. It is obvious that the drawings in the following description are only some embodiments of the present invention, Those skilled in the art can also obtain other drawings based on these drawings without paying any creative work.
图 1为本发明实施例一提出的一种 IP会话标识方法的流程示意图; 图 2为本发明实施例一提出的一种 IP会话标识方法的流程示意图; 图 3为本发明实施例二提出的一种 IP会话处理系统的结构示意图; 图 4为本发明实施例三提出的一种动态 IPv6 Session中的 IP会话标识方 法的流程示意图;  FIG. 1 is a schematic flowchart of an IP session identification method according to Embodiment 1 of the present invention; FIG. 2 is a schematic flowchart of an IP session identification method according to Embodiment 1 of the present invention; A schematic diagram of a structure of an IP session processing system; FIG. 4 is a schematic flowchart of a method for identifying an IP session in a dynamic IPv6 session according to Embodiment 3 of the present invention;
图 5为本发明实施例四提出的另一种动态 IPv6 Session中的 IP会话标识 方法的流程示意图;  FIG. 5 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 4 of the present invention;
图 6为本发明实施例五提出的另一种动态 IPv6 Session中的 IP会话标识 方法的流程示意图;  6 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 5 of the present invention;
图 7为本发明实施例六提出的另一种动态 IPv6 Session中的 IP会话标识 方法的流程示意图; 图 8为本发明实施例七提出的另一种动态 IPv6 Session中的 IP会话标识 方法的流程示意图; FIG. 7 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 6 of the present invention; FIG. 8 is a schematic flowchart of another method for identifying an IP session in a dynamic IPv6 session according to Embodiment 7 of the present invention;
图 9为本发明实施例八提出的一种静态 IPv6 Session中的 IP会话标识方 法的流程示意图。 具体实施方式  FIG. 9 is a schematic flowchart of an IP session identification method in a static IPv6 session according to Embodiment 8 of the present invention. detailed description
本发明实施例提出了一种 IP会话标识方法、 装置和系统。 该技术方案的 具体内容是:在 IPv6的流标签( Flow label )中设定 IPv6 Session标识( Identity, ID )域, 或者在 IPv6地址中设定 IPv6 Session ID域(例如, IPv6地址前缀 ) , IPv6 Session ID在用户认证 /IP地址分配过程成功后, 按 Subscriber与运营商 约定的规则产生, 实现 IPv6 Session与认证过程 /IP地址分配过程的耦合。  The embodiment of the invention provides an IP session identification method, device and system. The specific content of the technical solution is: setting an IPv6 Session Identity (ID) field in an IPv6 Flow Label, or setting an IPv6 Session ID field (for example, an IPv6 address prefix) in an IPv6 address, IPv6 After the user ID/IP address allocation process succeeds, the Session ID is generated according to the rules agreed by the Subscriber and the operator to implement the coupling between the IPv6 Session and the authentication process/IP address allocation process.
IPv6 Session ID 在 IP Session存活过程中保持不变, BNG对接收到的数 据包进行 IPv6 Session ID的过滤,有效地防止攻击者通过伪造 IP地址或 MAC 地址假冒, 解决了共享介质接入的安全。  The IPv6 session ID remains unchanged during the lifetime of the IP session. The BNG filters the IPv6 session ID of the received packets to prevent the attacker from spoofing IP addresses or MAC addresses. This ensures the security of shared media access.
下面将结合本发明实施例中的附图, 对本发明实施例中的技术方案进行 清楚、 完整地描述, 显然, 所描述的实施例仅仅是本发明的一部分实施例, 而不是全部的实施例。 基于本发明中的实施例, 本领域普通技术人员在没有 做出创造性劳动前提下所获得的所有其他实施例 , 都属于本发明保护的范围。  The technical solutions in the embodiments of the present invention are clearly and completely described in the following with reference to the accompanying drawings in the embodiments of the present invention. It is obvious that the described embodiments are only a part of the embodiments of the present invention, and not all of the embodiments. All other embodiments obtained by those skilled in the art based on the embodiments of the present invention without creative efforts are within the scope of the present invention.
如图 1所示, 为本发明实施例一提出的一种 IP会话标识方法的流程示意 图, 该方法包括以下步骤:  FIG. 1 is a schematic flowchart diagram of an IP session identification method according to Embodiment 1 of the present invention, where the method includes the following steps:
步骤 S101、 网络网关根据预设的 IP会话标识生成规则, 在认证过程和 / 或 IP地址分配过程中为 IP会话生成 IP会话标识;  Step S101: The network gateway generates an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule.
具体的, 为方便描述, 本发明实施例中以 IPv6会话 ( IPv6 Session )为例 进行说明, 但是, 需要进一步指出的是, 其他符合本发明实施例实施场景要 求的会话也同样属于本发明的保护范围, 这一点在全文均适用, 后文不再重 复强调。 Specifically, for convenience of description, an IPv6 session (IPv6 Session) is taken as an example in the embodiment of the present invention. However, it should be further pointed out that other sessions that meet the requirements of the implementation scenario of the embodiment of the present invention also belong to the protection of the present invention. Scope, this point applies in the full text, and will not be heavy in the following Re-emphasis.
IPv6 Session分为动态 IPv6 Session和静态 IPv6 Session„  IPv6 Session is divided into dynamic IPv6 Session and static IPv6 Session.
其中, 动态 IPv6 Session可以被动态创建和终止, 静态 IPv6 Session则只 能被静态配置生成。  Dynamic IPv6 sessions can be dynamically created and terminated. Static IPv6 sessions can only be statically configured.
本发明实施例所提出的技术方案是在 IPv6的流标签( IPv6 Flow label )中 设定 IPv6 Session ID域或者在 IPv6地址中设定 IPv6 Session ID域(例如, IPv6 地址前缀) 。 对于动态 IP Session, 可以在认证过程和 IP地址分配过程中为 IP会话生成 IP会话标识, 具体为: 通过认证 Session ID和动态主机分配协议 执行标识 ( Dynamic Host Configuration Protocol Transaction ID , DHCP Transaction ID, xid )按约定的规则映射到 IPv6 Flow label的 IPv6 Session ID 域, 产生 IPv6 Session ID; 对于动态 IP Session, 还可以在认证过程或 IP地址 分配过程中为 IP会话生成 IP会话标识, 具体为: Subsriber通过 DHCP前缀 委派( Prefix Delegation, PD )或无状态地址自动分配过程 ( StateLess Address AutoConfiguration, SLAAC ) 的 IPv6地址前缀, 然后按约定的规则映射作为 IPv6 Session ID, 即将 Subsriber的 IPv6地址前缀与 IPv6 Session进行绑定。 对于静态 IP Session, 可根据 IPv6地址 /IPv6地址前缀按约定的规则产生 IPv6 Session ID。  The technical solution of the embodiment of the present invention is to set an IPv6 Session ID field in an IPv6 Flow label or an IPv6 Session ID field (for example, an IPv6 address prefix) in an IPv6 address. For the dynamic IP session, an IP session identifier can be generated for the IP session during the authentication process and the IP address allocation process, specifically: the authentication session ID and the dynamic host allocation protocol execution identifier (Dynamic Host Configuration Protocol Transaction ID, DHCP Transaction ID, xid The IPv6 session ID field of the IPv6 Flow label is generated according to the agreed rules, and the IPv6 session ID is generated. For the dynamic IP session, the IP session identifier can be generated for the IP session during the authentication process or IP address allocation process, specifically: Subsriber The IPv6 address prefix of the Prefix Delegation (PD) or the Stateless Address Auto Configuration (SLAAC) is then used as the IPv6 session ID. The IPv6 address prefix of the Subsriber is bound to the IPv6 session. set. For a static IP session, an IPv6 session ID can be generated according to the agreed rules according to the IPv6 address/IPv6 address prefix.
基于所述的 IPv6 Session ID (例如, IPv6地址前缀) , IP边缘节点可以 根据 IPv6 Session ID作 IPv6 Session的授权, IPv6 Session的授权通常釆用认 证、 授权和计费 ( Authentication, Authorization and Accounting, AAA )协议实 现, IPv6 Session ID (例如, IPv6地址前缀)可以携带于 IPv6 Session的 AAA 消息中。  Based on the IPv6 session ID (for example, an IPv6 address prefix), the IP edge node can authorize the IPv6 session according to the IPv6 session ID. The authorization of the IPv6 session usually uses authentication, authorization, and accounting (AAA). The protocol is implemented. The IPv6 session ID (for example, an IPv6 address prefix) can be carried in the AAA message of the IPv6 session.
IPv6 Session ID产生规则, 对于动态 IPv6 Session, 可以在 IPv6 Session 建立前动态配置到用户设备上, 或者在认证 /IP地址分配成功后通过认证协议 /DHCP动态配置到用户设备上; 对于静态 IPv6 Session, IPv6 Session ID产生 规则可以静态配置, 即在步骤 S101之前, 还包括以下两种情况: 当 IP会话为动态 IP会话时, 在网络网关中设置 IP会话标识生成规则, 并通过向用户设备发送认证确认消息或地址分配响应消息, 在用户设备中设 置 IP会话标识生成规则; The IPv6 session ID is generated. The dynamic IPv6 session can be dynamically configured to the user device before the IPv6 session is established. After the authentication/IP address is successfully assigned, the device can be dynamically configured to the user device through the authentication protocol/DHCP. For a static IPv6 session, IPv6 Session ID generation The rule may be statically configured, that is, before step S101, the following two cases are also included: When the IP session is a dynamic IP session, an IP session identifier generation rule is set in the network gateway, and an authentication confirmation message or an address assignment is sent to the user equipment. In response to the message, setting an IP session identifier generation rule in the user equipment;
当 IP会话为静态 IP会话时, 在网络网关和用户设备设置 IP会话标识生 成规则。  When the IP session is a static IP session, the IP session identifier generation rule is set on the network gateway and the user equipment.
对应上述的两种情况, 步骤 S101的具体内容也相应的分为两种情况: 当 IP会话为动态 IP会话时, 按照预设的 IP会话标识生成规则, 根据通 过地址分配前缀委派或通过路由器通告( router advertisement, RA )所得到的 IP会话地址前缀, 或认证确认消息中的认证识别符, 或地址分配响应消息中 的执行标识,在认证过程和 /或 IP地址分配过程中为 IP会话生成 IP会话标识; 当 IP会话为静态 IP会话时, 按照预设的 IP会话标识生成规则, 根据用 户设备中预设的 IP会话地址或 IP会话地址前缀, 在 IP地址分配过程中为 IP 会话生成 IP会话标识。  Corresponding to the above two cases, the specific content of step S101 is also divided into two cases: When the IP session is a dynamic IP session, the rule is generated according to the preset IP session identifier, and the prefix is assigned according to the address assignment or notified by the router. The IP session address prefix obtained by ( router advertisement, RA ), or the authentication identifier in the authentication confirmation message, or the execution identifier in the address allocation response message, generates IP for the IP session during the authentication process and/or IP address allocation process. Session ID; When an IP session is a static IP session, an IP session is generated for the IP session in the IP address allocation process according to the preset IP session ID generation rule and the IP session address or IP session address prefix preset in the user equipment. Logo.
需要进一步指出的是, 当 IP会话为动态 IP会话时,按照地址分配响应消 息中的执行标识生成 IP会话标识之后, 还包括以下步骤:  It should be further noted that, when the IP session is a dynamic IP session, after the IP session identifier is generated according to the execution identifier in the address allocation response message, the following steps are also included:
当 IP会话的 IP地址分配结果发生更新时, 按照预设的 IP会话标识生成 规则, 根据更新的地址分配响应消息中的执行标识, 为 IP会话生成更新的 IP 会话标识。  When the IP address allocation result of the IP session is updated, the IP session identification rule is generated according to the preset IP session identifier, and the updated IP session identifier is generated for the IP session according to the execution identifier in the updated address allocation response message.
IPv6 Session ID 在 IP Session存活过程中不变。  The IPv6 session ID does not change during the IP session lifetime.
IPv6 Session由 IPv6 Session ID进行标 i只。  The IPv6 session is marked by the IPv6 Session ID.
步骤 S102、 根据 IP会话标识对接收到的 IP会话报文进行过滤。  Step S102: Filter the received IP session packet according to the IP session identifier.
进一步的, 当 IP会话为动态 IP会话时, 上述的方法还包括:  Further, when the IP session is a dynamic IP session, the foregoing method further includes:
当 IP会话终止时, 释放 IP会话标识。  When the IP session is terminated, the IP session ID is released.
进一步的, 上述的步骤 S102在 的应用环*中, 如图 2所示, 可以包括以下步骤: 步骤 S201、 网络网关根据预设的 IP会话标识生成规则, 在认证过程和 / 或 IP地址分配过程中为 IP会话生成 IP会话标识; Further, in the application ring* of the foregoing step S102, as shown in FIG. 2, the following steps may be included: Step S201: The network gateway generates an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule.
本步骤与步骤 S101的具体说明内容相同, 本实施例不再重复叙述。  This step is the same as the specific description of step S101, and the description is not repeated in this embodiment.
步骤 S202、 网络网关判断 IP会话标识与用户设备的 MAC地址或接入端 口是否符合预设的绑定关系表;  Step S202: The network gateway determines whether the IP session identifier and the MAC address of the user equipment or the access port meet the preset binding relationship table.
在本步骤中, 网络网关判断用户设备的 MAC地址或接入端口与该 IP会 话标识的对应关系是否与预设的绑定关系表中的信息相一致, 判断接收到的 IP会话的报文是否来自预设的 MAC地址或接入端口, 即判断该 IP会话是否 是认证通过的端口发起的符合认证要求的 IP会话。  In this step, the network gateway determines whether the MAC address of the user equipment or the correspondence between the access port and the IP session identifier is consistent with the information in the preset binding relationship table, and determines whether the received IP session packet is From the preset MAC address or access port, that is, whether the IP session is an IP session that meets the authentication requirement initiated by the authenticated port.
其中的绑定关系表具体是在用户设备完成认证时所生成的 IP会话标识与 用户设备 MAC地址或接入端口的绑定关系表。  The binding relationship table is specifically a binding relationship between the IP session identifier generated by the user equipment and the user equipment MAC address or the access port.
其中, 接入端口可以是接入物理端口 (如数字用户线端口或无源光网络 物理接口) , 也可以是接入逻辑端口 (如虚拟局域网端口或千兆无源光网络 封装模式端口 ) 。  The access port may be an access physical port (such as a digital subscriber line port or a passive optical network physical interface), or an access logical port (such as a virtual local area network port or a Gigabit passive optical network encapsulation mode port).
当网络网关判断 IP会话标识与用户设备的 MAC地址或接入端口符合预 设的绑定关系表时, 转入步骤 S203;  When the network gateway determines that the IP session identifier and the MAC address or the access port of the user equipment meet the preset binding relationship table, the process proceeds to step S203;
当网络网关判断 IP会话标识与用户设备的 MAC地址或接入端口不符合 预设的绑定关系表时, 转入步骤 S204。  When the network gateway determines that the IP address of the IP address and the access port of the user equipment does not match the preset binding relationship table, the process proceeds to step S204.
步骤 S203、 网络网关允许 4艮文通过;  Step S203: The network gateway allows 4 passages to pass;
即发送该报文的用户设备是通过认证的用户设备, 该报文安全, 允许该 报文通过。  That is, the user equipment that sends the packet is the authenticated user equipment. The packet is secure and allows the packet to pass.
步骤 S204、 网络网关丟弃 文。  Step S204: The network gateway discards the text.
即发送该报文的用户设备不是通过认证的用户设备, 由于该报文的安全 性未知, 所以将该报文丟弃。  That is, the user equipment that sends the packet is not the user equipment that has passed the authentication. The packet is discarded because the security of the packet is unknown.
进一步的, 当 IP会话为动态 IP会话时, 上述的方法还包括: 当 IP会话终止时, 释放 IP会话标识。 Further, when the IP session is a dynamic IP session, the foregoing method further includes: When the IP session is terminated, the IP session ID is released.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。  The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应本发明实施例一所提出的技术方案, 本发明实施例二提出了一种 IP 会话处理系统, 图 3为本发明实施例二提出的一种 IP会话处理系统的结构示 意图, 如图 3所示, 包括用户设备 1和网络网关 2:  Corresponding to the technical solution of the first embodiment of the present invention, the second embodiment of the present invention provides an IP session processing system, and FIG. 3 is a schematic structural diagram of an IP session processing system according to Embodiment 2 of the present invention. Shown, including user equipment 1 and network gateway 2:
用户设备 1 , 用于接收网络网关 2发送的 IP会话标识生成规则, 按照 IP 会话标识生成规则生成相应的 IP会话标识,并向网络网关 2发送 IP会话报文; 进一步的, 用户设备 1还用于设置 IP会话地址或 IP会话地址前缀, 用来提供 生成 IP会话标识的依据信息。  The user equipment 1 is configured to receive an IP session identifier generation rule sent by the network gateway 2, generate a corresponding IP session identifier according to the IP session identifier generation rule, and send an IP session message to the network gateway 2; further, the user equipment 1 further uses Set the IP session address or IP session address prefix to provide the basis for generating the IP session identifier.
网络网关 2, 用于设置 IP会话标识生成规则, 将 IP会话标识生成规则发 送给用户设备 1 ,按照 IP会话标识生成规则在认证过程和 /或 IP地址分配过程 中为 IP会话生成 IP会话标识, 并根据 IP会话标识对 IP会话进行过滤。 网络 网关 2具体包括:  The network gateway 2 is configured to set an IP session identifier generation rule, and send an IP session identifier generation rule to the user equipment 1, and generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the IP session identifier generation rule. The IP session is filtered according to the IP session identifier. The network gateway 2 specifically includes:
设置模块 21 ,用于在网络网关 2设置 IP会话标识生成规则和绑定关系表; 发送模块 22, 用于将设置模块 21设置的 IP会话标识生成规则发送给用 户设备 1 , 以使用户设备 1设置 IP会话标识生成规则;  The setting module 21 is configured to set an IP session identifier generation rule and a binding relationship table in the network gateway 2; the sending module 22 is configured to send the IP session identifier generation rule set by the setting module 21 to the user equipment 1 to enable the user equipment 1 Set the IP session ID generation rule.
生成模块 23 , 用于根据设置模块 21预设的 IP会话标识生成规则, 在认 证过程和 /或 IP地址分配过程中为 IP会话生成 IP会话标识,该模块具体包括: 获取子模块 231 , 用于通过地址分配前缀委派或通过路由器通告获取 IP 会话地址前缀, 或在认证确认消息中获取认证识别符, 或在地址分配响应消 息中获取执行标识,或获取用户设备 1中预设的 IP会话地址或 IP会话地址前 缀; 生成子模块 232, 用于根据获取子模块 231所获取的 IP会话地址前缀, 或认证识别符, 或执行标识, 或用户设备 1中预设的 IP会话地址或 IP会话地 址前缀, 按照设置模块 21预设的 IP会话标识生成规则, 为 IP会话生成 IP会 话标识; The generating module 23 is configured to generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the IP session identifier generation rule preset by the setting module 21, where the module specifically includes: an obtaining submodule 231, configured to: Obtain an IP session address prefix by using an address assignment prefix or by using a router advertisement, or obtain an authentication identifier in an authentication confirmation message, or obtain an execution identifier in an address allocation response message, or obtain an IP session address preset in the user equipment 1 or IP session address prefix; The generating sub-module 232 is configured to: according to the IP session address prefix acquired by the obtaining sub-module 231, or an authentication identifier, or an execution identifier, or an IP session address or an IP session address prefix preset in the user equipment 1, according to the setting module 21 Pre-set IP session ID generation rules to generate IP session IDs for IP sessions;
更新子模块 233 , 用于当 IP会话的 IP地址分配结果发生更新时, 按照设 置模块 21预设的 IP会话标识生成规则,根据获取子模块 231获取的更新的地 址分配响应消息中的执行标识, 为 IP会话生成更新的 IP会话标识。  The update sub-module 233 is configured to allocate an execution identifier in the response message according to the updated IP address obtained by the obtaining sub-module 231 according to the IP session identifier generation rule preset by the setting module 21 when the IP address allocation result of the IP session is updated. Generate an updated IP session ID for the IP session.
处理模块 24 , 用于根据 IP会话标识对接收到的 IP会话报文进行过滤。 处理模块 24可以包括:  The processing module 24 is configured to filter the received IP session packet according to the IP session identifier. Processing module 24 can include:
判断子模块 241 , 用于判断 IP会话标识与用户设备 1的 MAC地址或接 入端是否符合设置模块 21所设置的绑定关系表;  The determining sub-module 241 is configured to determine whether the IP session identifier and the MAC address or the access end of the user equipment 1 meet the binding relationship table set by the setting module 21;
过滤子模块 242, 用于若判断子模块 241判断 IP会话标识与用户设备 1 的 MAC地址或接入端符合预设的绑定关系表时, 允许报文通过; 若判断子模 块 241判断 IP会话标识与用户设备 1的 MAC地址或接入端不符合预设的绑 定关系表时, 丟弃该报文。  The filtering sub-module 242 is configured to allow the packet to pass if the determining that the IP session identifier and the MAC address or the access end of the user equipment 1 meet the preset binding relationship table; and if the determining sub-module 241 determines the IP session When the MAC address of the user equipment 1 or the access terminal does not match the preset binding relationship table, the packet is discarded.
释放模块 25 , 用于当 IP会话终止时, 释放生成模块 23所生成的 IP会话 标识。  The release module 25 is configured to release the IP session identifier generated by the generating module 23 when the IP session is terminated.
上述模块可以分布于一个装置, 也可以分布于多个装置。 上述模块可以 合并为一个模块, 也可以进一步拆分成多个子模块。  The above modules may be distributed in one device or distributed in multiple devices. The above modules can be combined into one module, or further split into multiple sub-modules.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的系统,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。  The technical solution of the embodiment of the present invention has the following advantages, because the system for filtering the IP session is implemented by checking whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应上述的本发明实施例一所提出的技术方案, 本发明通过实施例三提 出了一种动态 IPv6 Session中的 IP会话标识方法, 该方法在认证阶段进行 IP 会话标识的创建, 具体方法流程图如图 4所示, 包括以下步骤: Corresponding to the technical solution proposed in the first embodiment of the present invention, the present invention proposes an IP session identification method in a dynamic IPv6 session by using the third embodiment, which performs IP in the authentication phase. The creation of the session identifier, the specific method flow chart shown in Figure 4, includes the following steps:
步骤 S401、 用户 (Subscriber )设备通过 BNG到认证服务器进行扩展认 证协议 ( Extensible Authentication Protocol; 以下简称: EAP ) 认证;  Step S401: The subscriber (Subscriber) device performs an Extensible Authentication Protocol (EAP) authentication through the BNG to the authentication server.
其中, BNG即为前述本发明实施例中所提及的网络网关, 用户设备在具 体的应用环境中即为 Subscriber, 可以具体为一个接入的用户终端, 也可以是 连接有多个终端的网络接入设备, 如家庭网关, 这一点在后文的实施例中也 是一致的, 后文不再重复叙述, 具体名称的变化并不影响本发明的保护范围。  The BNG is the network gateway mentioned in the foregoing embodiment of the present invention. The user equipment is a subscriber in a specific application environment, and may be specifically an access user terminal or a network connected to multiple terminals. The access device, such as the home gateway, is also consistent in the following embodiments, and will not be repeatedly described later. The change of the specific name does not affect the protection scope of the present invention.
步骤 S402、 当用户设备的 EAP认证成功时, EAP Success消息由认证服 务器通过 BNG发送给用户设备, 并在该用户所对应的用户设备中配置 IPv6 Session ID产生规则;  Step S402: When the EAP authentication of the user equipment is successful, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured in the user equipment corresponding to the user.
步骤 S403、 当用户设备的 EAP认证成功后, 用户设备启动 DHCP 前缀 委派(Prefix Delegation, 以下简称: PD ) , 产生 DHCP Transaction ID (简称 xid ) , 用户设备可根据 EAP Success消息的 EAP Identifier按一定的规则产生 xid, 如果釆用接入网认证信息 载协议 ( Protocol for carrying Authentication for Network Access , PANA ) , 还可根据 PANA Session ID按一定的规则产 生 xid;  Step S403: After the EAP authentication of the user equipment is successful, the user equipment starts a DHCP prefix delegation (Prefix Delegation, hereinafter referred to as PD), and generates a DHCP Transaction ID (referred to as xid), and the user equipment can press a certain EAP Identifier according to the EAP Success message. The rule generates xid. If the protocol for carrying Authentication for Network Access (PANA) is used, the xad can be generated according to the PANA Session ID according to a certain rule;
步骤 S404、用户设备通过 DHCP PD申请 IPv6地址前缀,在 IPv6地址前 缀委派过程中, 所有 DHCP消息的 xid保持不变;  Step S404: The user equipment applies for an IPv6 address prefix through the DHCP PD, and the xid of all DHCP messages remains unchanged during the IPv6 address prefix delegation process.
需要指出的是,由于在 DHCP PD过程之前缺乏像 PPP的 Session ID协商 过程, 所以 xid就相当于 IP Session ID , 在同一个 IP Session的生命周期内保 持一致; 如果对用户设备进行 IPv6地址前缀重新分配(renumbering ) , 则认 为由一个旧的 IP Session更新为新的 IP Session, xid也将随着新的 IP Session 进行变化。  It should be noted that, due to the lack of a Session ID negotiation process like PPP before the DHCP PD process, the xid is equivalent to the IP Session ID, which is consistent in the lifetime of the same IP session. If the IPv6 address prefix is re-authenticated to the user equipment. Renumbering means that an old IP Session is updated to a new IP Session, and xid will also change with the new IP Session.
步骤 S405、 当 IPv6地址前缀委派成功, DHCP服务器通过 DHCP Reply 消息将 IPv6地址前缀发送给用户设备; 步骤 S406、 BNG和用户设备可将 DHCP Reply消息委派的 IPv6地址前缀 作为 IPv6 Session ID; Step S405: When the IPv6 address prefix is successfully delegated, the DHCP server sends the IPv6 address prefix to the user equipment by using a DHCP Reply message. Step S406: The BNG and the user equipment may use the IPv6 address prefix delegated by the DHCP Reply message as the IPv6 Session ID.
即将 IPv6地址前缀与 IPv6 Session绑定,进一步的 ,还可以对 IPv6 Session ID与用户设备的 MAC地址 /或接入端口绑定, 形成绑定关系表。  The IPv6 address prefix is bound to the IPv6 session. In addition, the IPv6 session ID can be bound to the MAC address of the user equipment or the access port to form a binding relationship table.
需要指出的是, 如果对 Subscriber进行 IPv6地址前缀重新分配, 则认为 由一个旧的 IP Session更新为新的 IP Session, IP Session ID也将随着新的 IPv6 地址前缀的重新分配由新的 DHCP Reply消息触发产生。  It should be noted that if the IPv6 address prefix is reassigned to the Subscriber, it is considered that an old IP Session is updated to a new IP Session, and the IP Session ID will also be reassigned by the new IPv6 address prefix by the new DHCP Reply. The message is triggered.
步骤 S407、 BNG对接收到的 IPv6报文的 IPv6 Session ID进行过滤; Step S407: The BNG filters the IPv6 Session ID of the received IPv6 packet.
BNG根据预设的 IPv6 Session ID与用户设备的 MAC地址 /或接入端口绑 定关系过滤 IP会话的报文, 即 BNG通过检查预设的绑定关系表, 判断接收 到的 IP会话的报文是否来自预设的 MAC地址或接入端口。 The BNG filters the packets of the IP session according to the preset IPv6 session ID and the MAC address of the user device or the access port. The BNG checks the preset binding relationship table to determine the packets of the received IP session. Whether it comes from a preset MAC address or access port.
当网络网关判断接收到的 IP会话的报文来自预设的 MAC地址或接入端 口时, 即判定发送该报文的用户设备是通过认证的用户设备, BNG允许该用 户设备发送的报文通过。  When the network gateway determines that the packet of the received IP session is from a preset MAC address or an access port, it determines that the user equipment that sends the packet is the authenticated user equipment, and the BNG allows the packet sent by the user equipment to pass the packet. .
当网络网关判断接收到的 IP会话的报文并非来自预设的 MAC地址或接 入端口时, BNG将该 文进行丟弃。  When the network gateway determines that the received IP session packet is not from a preset MAC address or an access port, the BNG discards the packet.
相对应的, 判断发送该报文的用户设备不是通过认证的用户设备, BNG 直接将该报文进行丟弃。 需要进一步指出的是, 在后文的实施例中, BNG对 接收到的 IPv6报文的 IPv6 Session ID进行过滤的过程与本步骤是一致的, 后 文不再重复叙述。  Correspondingly, the user equipment that sends the packet is not the user equipment that has passed the authentication, and the BNG directly discards the packet. It should be further noted that, in the following embodiments, the process of filtering the IPv6 Session ID of the received IPv6 packet by the BNG is consistent with this step, and will not be repeatedly described later.
步骤 S408、 通过携带 IPv6 Session ID的数据流进行数据通信;  Step S408: Perform data communication by using a data stream carrying an IPv6 Session ID.
在数据通信阶段, IPv6 数据报文皆携带根据认证成功后确定的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  In the data communication phase, the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
步骤 S409、 通过携带 IPv6 Session ID的存活监控报文( keep alive )进行 数据通信状态存活监控; IPv6 Session的存活监控报文(如 BFD报文)皆携带根据认证成功后确定 的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。 In step S409, the data communication state survival monitoring is performed by using a keep alive of the IPv6 session ID. The IPv6 Session IDs generated by the IPv6 Session ID generation rules are determined by the IPv6 Session ID generation rule.
需要指出的是, 步骤 S408和步骤 S409在具体实施环境中, 没有必然的 时间先后关系, 两个步骤顺序的改变并不影响本发明的保护范围。  It should be noted that, in step S408 and step S409, there is no necessary time-order relationship in the specific implementation environment, and the change of the two-step sequence does not affect the protection scope of the present invention.
步骤 S410、 IPv6地址前缀被释放或被重新分配(renumbering ) 。  Step S410: The IPv6 address prefix is released or renumbered.
IPv6地址前缀被释放或被重新分配(renumbering ) 时, 则认为由一个旧 的 IP Session更新为新的 IP Session, 即判断为当前 IPv6会话终止。  When the IPv6 address prefix is released or re-allocated, it is considered that an old IP session is updated to a new IP session, that is, the current IPv6 session is terminated.
步骤 S411、 IPv6 Session ID释放。  Step S411: The IPv6 Session ID is released.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤, 从而, 达 到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合关系, 提高 IP会话的安全性的效果。  The technical solution of the embodiment of the present invention has the following advantages, because the IP session is generated by verifying whether an IP session identifier generated according to a preset rule is added in the IP session, thereby realizing the IP session in the data communication process. Establish a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应上述的本发明实施例一所提出的技术方案, 本发明通过实施例四提 出了另一种动态 IPv6 Session中的 IP会话标识方法, 该方法在 IP地址分配阶 段进行 IP会话标识的创建, 具体方法流程图如图 5所示, 包括以下步骤: 步骤 S501、 用户设备通过 BNG到认证服务器进行 EAP认证;  Corresponding to the technical solution proposed in the first embodiment of the present invention, the present invention proposes another IP session identification method in a dynamic IPv6 session by using the fourth embodiment, which implements the creation of an IP session identifier in the IP address allocation phase. The method flowchart is as shown in FIG. 5, and includes the following steps: Step S501: The user equipment performs EAP authentication by using the BNG to the authentication server.
步骤 S502、 当用户设备的 EAP认证成功时, EAP Success消息由认证服 务器通过 BNG发送给用户设备, 并在该用户设备中配置 IPv6 Session ID产生 规则;  Step S502: When the EAP authentication of the user equipment is successful, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured in the user equipment.
步骤 S503、 当用户设备的 EAP认证成功后, 用户设备启动 SLAAC, 向 Step S503: After the EAP authentication of the user equipment is successful, the user equipment starts SLAAC, and
BNG发出路由器恳求( Router Solicitation, RS ) 消息; The BNG issues a Router Solicitation (RS) message;
步骤 S504、 BNG收到 RS消息后, 向用户设备发送路由器宣告(Router Advertisement, RA ) 消息;  Step S504: After receiving the RS message, the BNG sends a Router Advertisement (RA) message to the user equipment.
RA消息的源地址是 BNG的 IPv6地址, RA消息包含 IPv6地址前缀。 步骤 S505、 BNG和用户设备可根据 RA消息携带的 IPv6地址前缀作为 IPv6 Session ID; The source address of the RA message is the IPv6 address of the BNG, and the RA message contains the IPv6 address prefix. Step S505: The BNG and the user equipment may use the IPv6 address prefix carried by the RA message as IPv6 Session ID;
即:将 IPv6地址前缀与 IPv6 Session绑定,进一步的,还可以对 IPv6 Session ID与用户设备 MAC地址 /或接入端口绑定, 形成绑定关系表;  That is, the IPv6 address prefix is bound to the IPv6 session. Further, the IPv6 session ID can be bound to the user equipment MAC address or the access port to form a binding relationship table.
需要指出的是, 如果对 Subscriber进行 IPv6地址前缀重新分配, 则认为 由一个旧的 IP Session更新为新的 IP Session, IP Session ID也将随着新的 IPv6 地址前缀的重新分配由新的 RA消息触发产生。  It should be noted that if the IPv6 address prefix is reassigned to the Subscriber, it is considered that an old IP Session is updated to a new IP Session, and the IP Session ID will also be reassigned by the new IPv6 address prefix by the new RA message. Trigger generation.
步骤 S506、 BNG对接收到的 IPv6报文的 IPv6 Session ID进行过滤; 步骤 S507、 通过携带 IPv6 Session ID的数据流进行数据通信;  Step S506: The BNG filters the IPv6 session ID of the received IPv6 packet. Step S507: Perform data communication by using the data stream carrying the IPv6 session ID.
在数据通信阶段, IPv6 数据报文皆携带根据认证成功后确定的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  In the data communication phase, the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
步骤 S508、 通过携带 IPv6 Session ID的存活监控报文( keep alive )进行 数据通信状态存活监控;  Step S508: Perform data communication state survival monitoring by using a keep alive of the IPv6 session ID.
IPv6 Session的存活监控报文(如 BFD报文 )皆携带根据认证成功后确定 的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  The IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
需要指出的是, 步骤 S507和步骤 S508在具体实施环境中, 没有必然的 时间先后关系, 两个步骤顺序的改变并不影响本发明的保护范围。  It should be noted that, in step S507 and step S508, there is no inevitable chronological relationship in the specific implementation environment, and the change of the two step sequences does not affect the protection scope of the present invention.
步骤 S509、 IPv6地址前缀被释放或被重新分配(renumbering ) ;  Step S509: The IPv6 address prefix is released or re-allocated (renumbering);
IPv6地址前缀被释放或被重新分配(renumbering ) 时, 则认为由一个旧 的 IP Session更新为新的 IP Session, 即判断为当前 IPv6会话终止。  When the IPv6 address prefix is released or re-allocated, it is considered that an old IP session is updated to a new IP session, that is, the current IPv6 session is terminated.
步骤 S510、 IPv6 Session ID释放。  Step S510: The IPv6 Session ID is released.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。  The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应上述的本发明实施例一所提出的技术方案, 本发明通过实施例五提 出了另一种动态 IPv6 Session中的 IP会话标识方法, 该方法在 IP地址分配阶 段进行 IP会话标识的创建, 具体方法流程图如图 6所示, 包括以下步骤: 步骤 S601、 用户设备通过 BNG到认证服务器进行 EAP认证; Corresponding to the technical solution proposed in the first embodiment of the present invention, the present invention is provided by the fifth embodiment. An IP session identification method in another dynamic IPv6 session is provided. The method creates an IP session identifier in the IP address allocation phase. The flowchart of the specific method is as shown in FIG. 6, and includes the following steps: Step S601: The user equipment passes the BNG. Go to the authentication server for EAP authentication;
步骤 S602、 当用户设备 EAP认证成功, EAP Success消息由认证服务器 通过 BNG发送给用户设备,并在该用户设备中配置 IPv6 Session ID产生规则; 步骤 S603、 BNG和用户设备根据 IPv6 Session ID产生规则,分别为 BNG 和用户设备生成 IPv6 Session ID;  Step S602: When the user equipment EAP authentication succeeds, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured in the user equipment. Step S603, the BNG, and the user equipment generate rules according to the IPv6 session ID. Generate an IPv6 Session ID for the BNG and the user equipment.
BNG和用户设备可根据 EAP Success消息的 EAP Identifier按一定的规则 产生 IPv6 Session ID; 如果釆用 PANA, 还可根据 PANA Session ID按一定的 规则产生 IPv6 Session ID。  The BNG and the user equipment can generate an IPv6 Session ID according to the EAP Identifier of the EAP Success message according to a certain rule. If PANA is used, the IPv6 Session ID can be generated according to a certain rule according to the PANA Session ID.
步骤 S604、 BNG对接收到的 IPv6报文的 IPv6 Session ID进行过滤; 步骤 S605、 用户设备通过无状态或有状态地址分配方式申请 IPv6地址; 在 IPv6地址分配过程中, 所有的上行消息皆携带根据认证成功后确定的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  Step S604: The BNG filters the IPv6 session ID of the received IPv6 packet. Step S605: The user equipment applies for an IPv6 address by using a stateless or stateful address allocation method. In the IPv6 address allocation process, all uplink messages are carried according to IPv6 Session ID generated by the IPv6 Session ID generation rule after the authentication succeeds.
步骤 S606、 通过携带 IPv6 Session ID的数据流进行数据通信;  Step S606: Perform data communication by using a data stream carrying an IPv6 Session ID.
在数据通信阶段, IPv6 数据报文皆携带根据认证成功后确定的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  In the data communication phase, the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
步骤 S607、 通过携带 IPv6 Session ID的存活监控报文( keep alive )进行 数据通信状态存活监控;  Step S607: Perform data communication state survival monitoring by using a keep alive of the IPv6 session ID.
IPv6 Session的存活监控报文(如 BFD报文 )皆携带根据认证成功后确定 的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  The IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
需要指出的是, 步骤 S606和步骤 S607在具体实施环境中, 没有必然的 时间先后关系, 两个步骤顺序的改变并不影响本发明的保护范围。  It should be noted that, in step S606 and step S607, there is no necessary time-order relationship in the specific implementation environment, and the change of the two-step sequence does not affect the protection scope of the present invention.
步骤 S608、 IPv6地址被释放;  Step S608, the IPv6 address is released;
步骤 S609、 IPv6 Session被终止, IPv6 Session ID释放。 本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。 Step S609, the IPv6 session is terminated, and the IPv6 session ID is released. The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应上述的本发明实施例一所提出的技术方案, 本发明通过实施例六提 出了另一种动态 IPv6 Session中的 IP会话标识方法, 该方法在 IP地址分配阶 段进行 IP会话标识的创建, 具体方法流程图如图 7所示, 包括以下步骤: 步骤 S701、 用户设备通过 BNG到认证服务器进行 EAP认证;  Corresponding to the technical solution proposed in the first embodiment of the present invention, the present invention proposes another IP session identification method in a dynamic IPv6 session by using the sixth embodiment. The method creates an IP session identifier in the IP address allocation phase, specifically The method flowchart is as shown in FIG. 7, and includes the following steps: Step S701: The user equipment performs EAP authentication by using the BNG to the authentication server.
步骤 S702、 当用户设备 EAP认证成功, EAP Success消息由认证服务器 通过 BNG发送给用户设备, 并配置 IPv6 Session ID产生规则;  Step S702: When the EAP authentication of the user equipment is successful, the EAP Success message is sent by the authentication server to the user equipment through the BNG, and the IPv6 session ID generation rule is configured.
步骤 S703、当用户设备 EAP认证成功后,用户设备启动有状态地址分配, 产生 DHCP Transaction ID (简称 xid ) ; 用户设备可根据 EAP Success消息的 EAP Identifier按一定的规则产生 xid;如果釆用 PANA,还可根据 PANA Session ID按一定的规则产生 xid;  Step S703: After the user equipment EAP is successfully authenticated, the user equipment initiates a stateful address allocation, and generates a DHCP Transaction ID (xid for short); the user equipment may generate a xid according to a certain rule according to the EAP Identifier of the EAP Success message; if PANA is used, It is also possible to generate xid according to a certain rule according to the PANA Session ID;
步骤 S704、 用户设备通过有状态地址分配方式申请 IPv6地址, 在 IPv6 地址分配过程中, 所有 DHCP消息的 xid保持不变;  Step S704: The user equipment applies for an IPv6 address by using a stateful address allocation manner, and the xid of all DHCP messages remains unchanged during the IPv6 address allocation process.
需要进一步指出的是, 由于在 DHCP地址分配过程之前缺乏像 PPP 的 Session ID协商过程,所以 xid就相当于 IP Session ID,建议在同一个 IP Session 的生命周期内保持一致; 如果 DHCP过程通过 reconfigure消息更换 IP地址, 则认为由一个旧的 IP Session更新为新的 IP Session, xid也将随着新的 IP Session进行变 4匕。  It should be further pointed out that since there is a lack of Session ID negotiation process like PPP before the DHCP address allocation process, xid is equivalent to the IP Session ID, and it is recommended to be consistent in the lifetime of the same IP Session; if the DHCP process passes the reconfigure message If the IP address is replaced, it is considered that an old IP session is updated to a new IP session, and xid will also change with the new IP session.
步骤 S705、 当 IPv6地址申请成功, DHCP服务器通过 DHCP Reply消息 将 IPv6地址发送给用户设备;  Step S705: When the IPv6 address is successfully applied, the DHCP server sends an IPv6 address to the user equipment by using a DHCP Reply message.
步骤 S706、 BNG和用户设备可根据 DHCP Reply消息的 DHCP Transaction ID按一定的规则产生 IPv6 Session ID; 需要进一步指出的是, 如果 DHCP过程通过 reconfigure/renew消息更换 IP地址, 则认为由一个旧的 IP Session更新为新的 IP Session, IP Session ID 也将随着新的 IP地址的重新分配由新的 DHCP Reply消息触发产生。 Step S706: The BNG and the user equipment may generate an IPv6 Session ID according to a DHCP Traaction ID of the DHCP Reply message according to a certain rule. It should be further pointed out that if the DHCP process replaces the IP address through the reconfigure/renew message, it is considered that the old IP Session is updated to the new IP Session, and the IP Session ID will also be re-allocated with the new IP address by the new IP address. A DHCP Reply message is triggered.
步骤 S707、 BNG对接收到的 IPv6报文的 IPv6 Session ID进行过滤; 步骤 S708、 通过携带 IPv6 Session ID的数据流进行数据通信;  Step S707: The BNG filters the IPv6 session ID of the received IPv6 packet. Step S708: Perform data communication by using the data stream carrying the IPv6 session ID.
在数据通信阶段, IPv6 数据报文皆携带根据认证成功后确定的 IPv6 Session ID产生规则所产生的 IPv6 Session ID;  In the data communication phase, the IPv6 data packet carries the IPv6 Session ID generated according to the IPv6 Session ID generation rule determined after the authentication succeeds.
步骤 S709、 通过携带 IPv6 Session ID的存活监控报文进行数据通信状态 存活监控;  Step S709: Perform data communication state survival monitoring by using a survival monitoring packet carrying an IPv6 session ID.
IPv6 Session的存活监控报文(如 BFD报文 )皆携带根据认证成功后确定 的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  The IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
需要指出的是, 步骤 S708和步骤 S709在具体实施环境中, 没有必然的 时间先后关系, 两个步骤顺序的改变并不影响本发明的保护范围。  It should be noted that, in step S708 and step S709, there is no necessary time-order relationship in the specific implementation environment, and the change of the two-step sequence does not affect the protection scope of the present invention.
步骤 S710、 IPv6地址被释放;  Step S710: The IPv6 address is released.
步骤 S711、 IPv6 Session被终止, IPv6 Session ID释放。  Step S711: The IPv6 session is terminated and the IPv6 session ID is released.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。  The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应上述的本发明实施例一所提出的技术方案, 本发明通过实施例七提 出了另一种动态 IPv6 Session中的 IP会话标识方法, 在本方法中, IP地址分 配阶段和认证阶段是合并的, 本方法在该阶段进行 IP会话标识的创建, 具体 方法流程图如图 8所示, 包括以下步骤:  Corresponding to the technical solution proposed in the first embodiment of the present invention, the present invention proposes another IP session identification method in a dynamic IPv6 session by using the seventh embodiment. In the method, the IP address allocation phase and the authentication phase are merged. The method performs the creation of the IP session identifier at this stage. The flowchart of the specific method is shown in FIG. 8, and includes the following steps:
步骤 S801、 用户设备产生 DHCP Transaction ID (简称 xid ) ;  Step S801, the user equipment generates a DHCP Transaction ID (referred to as xid);
步骤 S802、 用户设备通过 DHCP认证, 实现用户设备认证和有状态地址 分配 , 在 DHCP认证过程中 , 所有 DHCP消息的 xid保持不变; 需要进一步指出的是, 由于在 DHCP地址分配过程之前缺乏像 PPP 的Step S802: The user equipment passes the DHCP authentication to implement user equipment authentication and a stateful address. Allocation, during the DHCP authentication process, the xid of all DHCP messages remains unchanged; it needs to be further pointed out that due to the lack of PPP before the DHCP address allocation process
Session ID协商过程,所以 xid就相当于 IP Session ID,建议在同一个 IP Session 的生命周期内保持一致; 如果 DHCP过程通过 reconfigure/renew消息更换 IP 地址, 则认为由一个旧的 IP Session更新为新的 IP Session , xid也将随着新的The session ID negotiation process, so xid is equivalent to the IP session ID. It is recommended to be consistent in the lifetime of the same IP session. If the DHCP process replaces the IP address through the reconfigure/renew message, it is considered to be updated by an old IP session. IP Session, xid will also follow the new
IP Session进行变 4匕。 The IP Session is changed.
步骤 S803、 当 DHCP认证成功 , BNG通过 DHCP Reply消息将 IPv6地 址发送给用户设备, 通知用户设备认证成功, 并配置 IPv6 Session ID产生规 则;  Step S803: When the DHCP authentication succeeds, the BNG sends the IPv6 address to the user equipment by using the DHCP Reply message to notify the user that the device is successfully authenticated, and configures an IPv6 session ID generation rule.
需要进一步指出的是, 如果 DHCP过程通过 reconfigure/renew消息更换 Need to point out further, if the DHCP process is replaced by a reconfigure/renew message
IP地址, 则认为由一个旧的 IP Session更新为新的 IP Session, IP Session ID 也将随着新的 IP地址的重新分配由新的 DHCP Reply消息触发产生。 The IP address is considered to be updated by a new IP session to a new IP session. The IP session ID will also be triggered by a new DHCP Reply message as the new IP address is reassigned.
步骤 S804、 BNG和用户设备可根据 DHCP Reply消息的 DHCP Transaction ID按认证成功后确定的 IPv6 Session ID产生规则产生 IPv6 Session ID;  Step S804: The BNG and the user equipment may generate an IPv6 Session ID according to the DHCP Transaction ID of the DHCP Reply message according to the IPv6 Session ID generation rule determined after the authentication succeeds.
需要进一步指出的是, 如果 DHCP过程通过 reconfigure/renew消息更换 Need to point out further, if the DHCP process is replaced by a reconfigure/renew message
IP地址, 则认为由一个旧的 IP Session更新为新的 IP Session, IP Session ID 也将随着新的 IP地址的重新分配由新的 DHCP Reply消息触发产生。 The IP address is considered to be updated by a new IP session to a new IP session. The IP session ID will also be triggered by a new DHCP Reply message as the new IP address is reassigned.
步骤 S805、 BNG对接收到的 IPv6报文的 IPv6 Session ID进行过滤; 步骤 S806、 通过携带 IPv6 Session ID的数据流进行数据通信;  Step S805: The BNG filters the IPv6 Session ID of the received IPv6 packet. Step S806: Perform data communication by using the data stream carrying the IPv6 Session ID.
在数据通信阶段, IPv6 数据报文皆携带根据认证成功后确定的 IPv6 In the data communication phase, IPv6 data packets carry IPv6 determined according to the successful authentication.
Session ID产生规则所产生的 IPv6 Session ID。 The IPv6 Session ID generated by the session ID generation rule.
步骤 S807、 通过携带 IPv6 Session ID的存活监控报文进行数据通信状态 存活监控;  Step S807: Performing data communication state survival monitoring by using a surviving monitoring packet carrying an IPv6 session ID;
IPv6 Session的存活监控报文(如 BFD报文 )皆携带根据认证成功后确定 的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。 需要指出的是, 步骤 S806和步骤 S807在具体实施环境中, 没有必然的 时间先后关系, 两个步骤顺序的改变并不影响本发明的保护范围。 The IPv6 Session IDs generated by the IPv6 Session ID generation rules are determined by the IPv6 Session ID generation rule. It should be noted that, in step S806 and step S807, there is no necessary time-order relationship in the specific implementation environment, and the change of the two step sequences does not affect the protection scope of the present invention.
步骤 S808、 IPv6地址被释放;  Step S808: The IPv6 address is released.
步骤 S809、 IPv6 Session被终止, IPv6 Session ID释放。  Step S809: The IPv6 session is terminated, and the IPv6 session ID is released.
本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。  The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
对应上述的本发明实施例一所提出的技术方案, 本发明通过实施例八提 出了一种静态 IPv6 Session中的 IP会话标识方法, 在本方法中, 由于是静态 IPv6会话, 所以不存在认证阶段, 而直接是 IP地址分配阶段, 本方法在该阶 段进行 IP会话标识的创建, 具体方法流程图如图 9所示, 包括以下步骤: 步骤 S901、 网络静态配置用户设备的 IPv6 地址 /地址前缀, 以及 IPv6 Session ID的产生规则;  Corresponding to the technical solution proposed in the first embodiment of the present invention, the present invention proposes an IP session identification method in a static IPv6 session by using the eighth embodiment. In this method, since it is a static IPv6 session, there is no authentication phase. In the IP address allocation phase, the method is to create an IP session identifier at this stage. The flowchart of the specific method is as shown in FIG. 9. The method includes the following steps: Step S901: The network statically configures the IPv6 address/address prefix of the user equipment. And an IPv6 Session ID generation rule;
步骤 S902、 BNG和用户设备根据用户设备的 IPv6地址 /地址前缀, 按预 先配置的 IPv6 Session ID的产生规则产生 IPv6 Session ID;  Step S902: The BNG and the user equipment generate an IPv6 session ID according to the pre-configured IPv6 session ID generation rule according to the IPv6 address/address prefix of the user equipment.
步骤 S903、 BNG对接收到的 IPv6报文的 IPv6 Session ID进行过滤; 步骤 S904、 通过携带 IPv6 Session ID的数据流进行数据通信;  Step S903: The BNG filters the IPv6 session ID of the received IPv6 packet. Step S904: Perform data communication by using the data stream carrying the IPv6 session ID.
在数据通信阶段, IPv6 数据报文皆携带根据认证成功后确定的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  In the data communication phase, the IPv6 data packets carry the IPv6 session ID generated according to the IPv6 session ID generation rule determined after the authentication succeeds.
步骤 S905、 通过携带 IPv6 Session ID的存活监控报文( keep alive )进行 数据通信状态存活监控。  In step S905, the data communication state survival monitoring is performed by using a keep alive of the IPv6 session ID.
IPv6 Session的存活监控报文(如 BFD报文 )皆携带根据认证成功后确定 的 IPv6 Session ID产生规则所产生的 IPv6 Session ID。  The IPv6 Session ID of the IPv6 Session is generated by the IPv6 Session ID generation rule.
需要指出的是, 步骤 S904和步骤 S905在具体实施环境中, 没有必然的 时间先后关系, 两个步骤顺序的改变并不影响本发明的保护范围。 本发明实施例的技术方案具有以下优点, 因为釆用了通过检验 IP会话中 是否加入按照预设规则生成的 IP会话标识, 实现对 IP会话的过滤的方法,从 而,达到了使 IP会话在数据通信过程与认证过程 /IP地址分配过程中建立耦合 关系, 提高 IP会话的安全性的效果。 It should be noted that step S904 and step S905 are not necessary in a specific implementation environment. The chronological relationship, the change of the order of the two steps does not affect the scope of protection of the present invention. The technical solution of the embodiment of the present invention has the following advantages, because the method for filtering the IP session is implemented by verifying whether the IP session identifier generated according to the preset rule is added in the IP session, thereby achieving the IP session in the data. The communication process establishes a coupling relationship with the authentication process/IP address allocation process to improve the security of the IP session.
通过以上的实施方式的描述, 本领域的技术人员可以清楚地了解到本发 明可以通过硬件实现, 也可以可借助软件加必要的通用硬件平台的方式来实 现基于这样的理解, 本发明的技术方案可以以软件产品的形式体现出来, 该 软件产品可以存储在一个非易失性存储介质 (可以是 CD-ROM, U盘, 移动 硬盘等) 中, 包括若干指令用以使得一台计算机设备(可以是个人计算机, 服务器, 或者网络设备等)执行本发明各个实施例所述的方法。  Through the description of the above embodiments, those skilled in the art can clearly understand that the present invention can be implemented by hardware, or can be implemented by means of software plus necessary general hardware platform, and the technical solution of the present invention. It can be embodied in the form of a software product that can be stored in a non-volatile storage medium (which can be a CD-ROM, a USB flash drive, a mobile hard disk, etc.), including a number of instructions for making a computer device (may It is a personal computer, a server, or a network device, etc.) that performs the methods described in various embodiments of the present invention.
本领域技术人员可以理解附图只是一个优选实施例的示意图, 附图中的 模块或流程并不一定是实施本发明所必须的。 以上所述仅是本发明的优选实施方式, 应当指出, 对于本技术领域的普 通技术人员来说, 在不脱离本发明原理的前提下, 还可以做出若干改进和润 饰, 这些改进和润饰也应视本发明的保护范围。  A person skilled in the art can understand that the drawings are only a schematic diagram of a preferred embodiment, and the modules or processes in the drawings are not necessarily required to implement the invention. The above description is only a preferred embodiment of the present invention, and it should be noted that those skilled in the art can also make several improvements and retouchings without departing from the principles of the present invention. The scope of protection of the invention should be considered.

Claims

权 利 要 求 Rights request
1、 一种 IP会话标识方法, 其特征在于, 包括:  An IP session identification method, comprising:
根据预设的 IP会话标识生成规则, 在认证过程和 /或 IP地址分配过程中 为 IP会话生成 IP会话标识;  Generating an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule;
根据所述 IP会话标识对接收到的 IP会话报文进行过滤。  The received IP session packet is filtered according to the IP session identifier.
2、 根据权利要求 1所述的 IP会话标识方法, 其特征在于, 所述根据所 述 IP会话标识对接收到的 IP会话报文进行过滤具体为:  The IP session identification method according to claim 1, wherein the filtering the received IP session packet according to the IP session identifier is:
判断所述 IP会话标识与用户设备的 MAC地址或接入端口是否符合预设 的绑定关系表;  Determining whether the IP session identifier and the MAC address or the access port of the user equipment meet the preset binding relationship table;
若所述 IP会话标识与用户设备的 MAC地址或接入端口符合所述预设的 绑定关系表时, 允许所述 IP会话报文通过; 若所述 IP会话标识与用户设备 的 MAC地址或接入端口不符合所述预设的绑定关系表时, 丟弃所述 IP会话 报文。  If the IP session identifier and the user equipment's MAC address or the access port meet the preset binding relationship table, permit the IP session packet to pass; if the IP session identifier and the user equipment's MAC address or When the access port does not meet the preset binding relationship table, the IP session packet is discarded.
3、 根据权利要求 1或 2所述的 IP会话标识方法, 其特征在于, 所述根 据预设的 IP会话标识生成规则,在认证过程和 /或 IP地址分配过程中为 IP会 话生成 IP会话标识之前, 所述方法还包括设置所述 IP会话标识生成规则的 步骤:  The IP session identification method according to claim 1 or 2, wherein the generating an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule Previously, the method further includes the step of setting the IP session identification generation rule:
当所述 IP会话为动态 IP会话时, 本地设置所述 IP会话标识生成规则, 并通过向用户设备发送认证确认消息或地址分配响应消息, 在所述用户设备 中设置所述 IP会话标识生成规则。  When the IP session is a dynamic IP session, the IP session identifier generation rule is set locally, and the IP session identifier generation rule is set in the user equipment by sending an authentication confirmation message or an address assignment response message to the user equipment. .
4、 根据权利要求 3所述的 IP会话标识方法, 其特征在于, 所述根据预 设的 IP会话标识生成规则,在认证过程和 /或 IP地址分配过程中为 IP会话生 成 IP会话标识具体为:  The IP session identification method according to claim 3, wherein the generating an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule is specifically :
按照所述预设的 IP会话标识生成规则, 根据通过地址分配前缀委派或通 过路由器通告所得到的 IP会话地址前缀, 或所述认证确认消息中的认证识别 符,或所述地址分配响应消息中的执行标识,在认证过程和 /或 IP地址分配过 程中为所述 IP会话生成 IP会话标识。 According to the preset IP session identifier generation rule, according to the IP session address prefix obtained by the address assignment prefix delegation or by the router advertisement, or the authentication identifier in the authentication confirmation message, or the address allocation response message Execution ID, assigned during the authentication process and / or IP address The IP session identifier is generated for the IP session.
5、 根据权利要求 4所述的 IP会话标识方法, 其特征在于, 所述按照所 述预设的 IP会话标识生成规则, 根据所述地址分配响应消息中的执行标识, 在认证过程和 /或 IP地址分配过程中为所述 IP会话生成 IP会话标识之后 ,还 包括:  The method for identifying an IP session according to claim 4, wherein the generating the rule according to the preset IP session identifier, according to the execution identifier in the address allocation response message, in the authentication process and/or After the IP session identifier is generated for the IP session in the IP address allocation process, the method further includes:
当所述 IP会话的 IP地址分配结果发生更新时, 按照所述预设的 IP会话 标识生成规则, 根据更新的地址分配响应消息中的执行标识, 为所述 IP会话 生成更新的 IP会话标识。  And when the IP address allocation result of the IP session is updated, generating an updated IP session identifier for the IP session according to the preset IP session identifier generation rule according to the execution identifier in the updated address allocation response message.
6、 根据权利要求 1或 2所述的 IP会话标识方法, 其特征在于, 所述根 据预设的 IP会话标识生成规则,在认证过程和 /或 IP地址分配过程中为 IP会 话生成 IP会话标识之前, 所述方法还包括设置所述 IP会话标识生成规则的 步骤:  The IP session identification method according to claim 1 or 2, wherein the generating an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule Previously, the method further includes the step of setting the IP session identification generation rule:
当所述 IP会话为静态 IP会话时, 在本地和所述用户设备设置所述 IP会 话标识生成规则。  When the IP session is a static IP session, the IP session identification generation rule is set locally and the user equipment.
7、 根据权利要求 6所述的 IP会话标识方法, 其特征在于, 所述根据预 设的 IP会话标识生成规则,在认证过程和 /或 IP地址分配过程中为 IP会话生 成 IP会话标识具体为:  The IP session identification method according to claim 6, wherein the generating an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule is specifically :
按照所述预设的 IP会话标识生成规则, 根据获取到的所述用户设备中预 设的 IP会话地址或 IP会话地址前缀,在 IP地址分配过程中为所述 IP会话生 成 IP会话标识。  And generating, according to the preset IP session identifier generation rule, an IP session identifier for the IP session in the IP address allocation process according to the obtained IP session address or IP session address prefix preset in the user equipment.
8、 根据权利要求 1所述的 IP会话标识方法, 其特征在于, 所述 IP会话 标识为 IP会话 文的流标签或 IP地址前缀。  The IP session identification method according to claim 1, wherein the IP session identifier is a flow label or an IP address prefix of the IP session text.
9、 根据权利要求 1所述的 IP会话标识方法, 其特征在于, 所述 IP会话 标识携带于 IP会话的 AAA消息中, IP边缘节点根据所述 IP会话标识作 IP 会话的授权。  The IP session identification method according to claim 1, wherein the IP session identifier is carried in an AAA message of the IP session, and the IP edge node performs authorization of the IP session according to the IP session identifier.
10、 根据权利要求 4所述的 IP会话标识方法, 其特征在于, 当根据所述 通过地址分配前缀委派或通过路由器通告所得到的 IP会话地址前缀, 在认证 过程和 /或 IP地址分配过程中为所述 IP会话生成 IP会话标识时,所述方法还 包括: 10. The IP session identification method according to claim 4, wherein, according to said The method further includes: when the IP session identifier is generated by the address assignment prefix or the IP session address prefix obtained by the router, and the IP session identifier is generated for the IP session during the authentication process and/or the IP address allocation process, the method further includes:
当所述 IP会话地址前缀被释放或被重新分配时, 释放所述 IP会话标识。  The IP session identifier is released when the IP session address prefix is released or reassigned.
11、 根据权利要求 3所述的 IP会话标识方法, 其特征在于, 当所述 IP 会话为动态 IP会话时, 所述方法还包括: The method for identifying an IP session according to claim 3, wherein when the IP session is a dynamic IP session, the method further includes:
当所述 IP会话终止时, 释放所述 IP会话标识。  When the IP session is terminated, the IP session identifier is released.
12、 一种网络网关, 其特征在于, 包括:  12. A network gateway, comprising:
生成模块, 用于根据预设的 IP会话标识生成规则, 在认证过程和 /或 IP 地址分配过程中为 IP会话生成 IP会话标识;  a generating module, configured to generate an IP session identifier for the IP session in the authentication process and/or the IP address allocation process according to the preset IP session identifier generation rule;
处理模块, 用于根据所述 IP会话标识对接收到的 IP会话报文进行过滤。 The processing module is configured to filter, according to the IP session identifier, the received IP session packet.
13、根据权利要求 12所述的网络网关,其特征在于,所述处理模块包括: 判断子模块, 用于判断所述 IP会话标识与用户设备的 MAC地址或接入 端口是否符合预设的绑定关系表; The network gateway according to claim 12, wherein the processing module comprises: a determining sub-module, configured to determine whether the IP session identifier and the MAC address or the access port of the user equipment meet the preset binding Relationship table
过滤子模块, 用于若所述判断子模块判断所述 IP会话标识与用户设备的 a filtering submodule, configured to: if the determining submodule determines the IP session identifier and the user equipment
MAC地址或接入端口符合预设的绑定关系表时, 允许所述报文通过; 若所述 判断子模块判断所述 IP会话标识与用户设备的 MAC地址或接入端口不符合 预设的绑定关系表时, 丟弃所述报文。 When the MAC address or the access port meets the preset binding relationship table, the packet is allowed to pass; if the determining sub-module determines that the IP session identifier and the MAC address or the access port of the user equipment do not meet the preset When the relationship table is bound, the packet is discarded.
14、 根据权利要求 12或 13所述的网络网关, 其特征在于, 还包括: 设置模块,用于在本地设置所述 IP会话标识生成规则和所述绑定关系表; 发送模块, 用于将所述设置模块设置的所述 IP会话标识生成规则发送给 用户设备, 以在所述用户设备中设置所述 IP会话标识生成规则。  The network gateway according to claim 12 or 13, further comprising: a setting module, configured to locally set the IP session identifier generation rule and the binding relationship table; and a sending module, configured to The IP session identifier generation rule set by the setting module is sent to the user equipment to set the IP session identifier generation rule in the user equipment.
15、 根据权利要求 12或 13所述的网络网关, 其特征在于, 还包括: 释放模块, 用于当所述 IP会话终止时, 释放所述生成模块所生成的 IP 会话标识。  The network gateway according to claim 12 or 13, further comprising: a release module, configured to release an IP session identifier generated by the generating module when the IP session is terminated.
16、 根据权利要求 12或 13所述的网络网关, 其特征在于, 所述生成模 块具体包括: The network gateway according to claim 12 or 13, wherein the generating module The block specifically includes:
获取子模块, 用于通过地址分配前缀委派或通过路由器通告获取 IP会话 地址前缀, 或在认证确认消息中获取认证识别符, 或在地址分配响应消息中 获取执行标识, 或获取所述用户设备中预设的 IP会话地址或 IP会话地址前 缀;  Obtaining a sub-module, configured to obtain an IP address prefix by using an address assignment prefix or by using a router advertisement, or obtaining an authentication identifier in an authentication confirmation message, or obtaining an execution identifier in an address allocation response message, or acquiring the user equipment a preset IP session address or IP session address prefix;
生成子模块, 用于根据所述获取子模块所获取的所述 IP会话地址前缀, 或所述认证识别符, 或所述执行标识, 或所述用户设备中预设的 IP会话地址 或 IP会话地址前缀, 按照所述设置模块预设的 IP会话标识生成规则, 为所 述 IP会话生成 IP会话标识。  Generating a sub-module, configured to use the IP session address prefix obtained by the obtaining sub-module, or the authentication identifier, or the execution identifier, or an IP session address or an IP session preset in the user equipment The IP prefix identifies an IP session identifier for the IP session according to the IP session identifier generation rule preset by the setting module.
17、 根据权利要求 16所述的网络网关, 其特征在于, 所述生成模块还包 括:  The network gateway according to claim 16, wherein the generating module further comprises:
更新子模块, 用于当所述 IP会话的 IP地址分配结果发生更新时, 按照 所述设置模块设置的 IP会话标识生成规则,根据所述获取子模块获取的更新 的地址分配响应消息中的执行标识, 为所述 IP会话生成更新的 IP会话标识。  And an update submodule, configured to: when the IP address allocation result of the IP session is updated, perform an execution according to the IP session identifier generation rule set by the setting module, according to the updated address allocation response message acquired by the obtaining submodule An identifier that generates an updated IP session identifier for the IP session.
18、 一种 IP会话处理系统, 其特征在于, 包括用户设备和网络网关: 所述用户设备, 用于接收所述网络网关发送的 IP会话标识生成规则, 按 照所述 IP会话标识生成规则生成相应的 IP会话标识, 并向所述网络网关发 送 IP会话报文;  An IP session processing system, comprising: a user equipment and a network gateway: the user equipment, configured to receive an IP session identifier generation rule sent by the network gateway, and generate a corresponding according to the IP session identifier generation rule IP session identifier, and sending an IP session message to the network gateway;
所述网络网关, 用于设置所述 IP会话标识生成规则, 将所述 IP会话标 识生成规则发送给所述用户设备,按照所述 IP会话标识生成规则在认证过程 和 /或 IP地址分配过程中为 IP会话生成 IP会话标识, 并根据所述 IP会话标 识对所述 IP会话进行过滤。  The network gateway is configured to set the IP session identifier generation rule, and send the IP session identifier generation rule to the user equipment, according to the IP session identifier generation rule in an authentication process and/or an IP address allocation process. Generating an IP session identifier for the IP session, and filtering the IP session according to the IP session identifier.
19、 根据权利要求 18所述的 IP会话处理系统, 其特征在于, 所述用户 设备和所述网络网关在所述 IP会话结束后, 释放所述 IP会话标识。  The IP session processing system according to claim 18, wherein the user equipment and the network gateway release the IP session identifier after the IP session ends.
PCT/CN2009/074628 2008-10-31 2009-10-27 Method, device and system for identifying ip session WO2010048874A1 (en)

Priority Applications (2)

Application Number Priority Date Filing Date Title
EP09823066.7A EP2346217B1 (en) 2008-10-31 2009-10-27 Method, device and system for identifying an IPv6 session
US13/097,369 US20110202670A1 (en) 2008-10-31 2011-04-29 Method, device and system for identifying ip session

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
CN200810172313.XA CN101729500B (en) 2008-10-31 2008-10-31 Method, device and system for identifying IP session
CN200810172313.X 2008-10-31

Related Child Applications (1)

Application Number Title Priority Date Filing Date
US13/097,369 Continuation US20110202670A1 (en) 2008-10-31 2011-04-29 Method, device and system for identifying ip session

Publications (1)

Publication Number Publication Date
WO2010048874A1 true WO2010048874A1 (en) 2010-05-06

Family

ID=42128257

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/CN2009/074628 WO2010048874A1 (en) 2008-10-31 2009-10-27 Method, device and system for identifying ip session

Country Status (4)

Country Link
US (1) US20110202670A1 (en)
EP (1) EP2346217B1 (en)
CN (1) CN101729500B (en)
WO (1) WO2010048874A1 (en)

Families Citing this family (13)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
CN103392320B (en) * 2010-12-29 2016-08-31 思杰系统有限公司 Encrypted item is carried out the system and method that multilamellar labelling determines to provide extra safely effectively encrypted item
US8976807B2 (en) * 2011-06-07 2015-03-10 Cisco Technology, Inc. Dynamically determining hostnames of network devices
US10262310B1 (en) * 2011-09-07 2019-04-16 Amazon Technologies, Inc. Generating a verifiable download code
CN103078829B (en) * 2011-10-25 2018-01-30 中兴通讯股份有限公司 Application message report method and device
CN103259764B (en) * 2012-02-17 2017-12-15 精品科技股份有限公司 A kind of local area network protection system and method
US8886775B2 (en) 2012-03-08 2014-11-11 Cisco Technology, Inc. Dynamic learning by a server in a network environment
CN103546385B (en) * 2012-07-10 2017-12-15 新华三技术有限公司 Flow transmission control method and equipment
CN104040984B (en) * 2012-11-13 2017-05-10 华为技术有限公司 Bidirectional forwarding detection (BFD) session negotiation method, device and system
US9185170B1 (en) * 2012-12-31 2015-11-10 Juniper Networks, Inc. Connectivity protocol delegation
CN103179224B (en) * 2013-03-08 2017-01-25 华为技术有限公司 Method, client side and server for configuring IP (internet protocol) addresses
US9497107B1 (en) * 2013-06-06 2016-11-15 Cisco Technology, Inc. Seamless path monitoring and rapid fault isolation using bidirectional forwarding detection in a network environment
EP2835944B1 (en) * 2013-08-08 2017-09-27 Compal Broadband Networks Inc. A device having ipv6 firewall functionality and method related thereto
US11159480B2 (en) 2019-03-26 2021-10-26 Cisco Technology, Inc. Identifier locator addressing for IPv6-based software defined fabric

Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030221016A1 (en) * 2002-02-13 2003-11-27 Jarkko Jouppi Transmission of packet data to a wireless terminal
CN1965541A (en) * 2004-04-15 2007-05-16 日本电气株式会社 Cluster system, cluster member, and program
US20070113269A1 (en) * 2003-07-29 2007-05-17 Junbiao Zhang Controlling access to a network using redirection
WO2007076883A1 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method and system for secure communication between a public network and a local network
US20070283141A1 (en) * 2003-12-31 2007-12-06 Pollutro Dennis V Method and System for Establishing the Identity of an Originator of Computer Transactions

Family Cites Families (9)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6615357B1 (en) * 1999-01-29 2003-09-02 International Business Machines Corporation System and method for network address translation integration with IP security
US7245620B2 (en) * 2002-03-15 2007-07-17 Broadcom Corporation Method and apparatus for filtering packet data in a network device
JP4320603B2 (en) * 2004-02-26 2009-08-26 日本電気株式会社 Subscriber line accommodation apparatus and packet filtering method
US7941512B2 (en) * 2004-12-13 2011-05-10 Cisco Technology, Inc. Use of IPv6 in access networks
FI120927B (en) * 2007-03-28 2010-04-30 Teliasonera Ab Authentication and encryption protocols in a wireless communication system
US9871872B2 (en) * 2007-04-13 2018-01-16 Nokia Technologies Oy Mechanism for executing server discovery
US8205246B2 (en) * 2007-05-10 2012-06-19 Cisco Technology, Inc. User sensitive filtering of network application layer resources
US8713666B2 (en) * 2008-03-27 2014-04-29 Check Point Software Technologies, Ltd. Methods and devices for enforcing network access control utilizing secure packet tagging
US8953601B2 (en) * 2008-05-13 2015-02-10 Futurewei Technologies, Inc. Internet protocol version six (IPv6) addressing and packet filtering in broadband networks

Patent Citations (5)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20030221016A1 (en) * 2002-02-13 2003-11-27 Jarkko Jouppi Transmission of packet data to a wireless terminal
US20070113269A1 (en) * 2003-07-29 2007-05-17 Junbiao Zhang Controlling access to a network using redirection
US20070283141A1 (en) * 2003-12-31 2007-12-06 Pollutro Dennis V Method and System for Establishing the Identity of an Originator of Computer Transactions
CN1965541A (en) * 2004-04-15 2007-05-16 日本电气株式会社 Cluster system, cluster member, and program
WO2007076883A1 (en) * 2005-12-30 2007-07-12 Telecom Italia S.P.A. Method and system for secure communication between a public network and a local network

Non-Patent Citations (1)

* Cited by examiner, † Cited by third party
Title
See also references of EP2346217A4 *

Also Published As

Publication number Publication date
US20110202670A1 (en) 2011-08-18
EP2346217B1 (en) 2016-03-30
EP2346217A4 (en) 2012-12-26
CN101729500A (en) 2010-06-09
CN101729500B (en) 2013-03-27
EP2346217A1 (en) 2011-07-20

Similar Documents

Publication Publication Date Title
WO2010048874A1 (en) Method, device and system for identifying ip session
KR101528410B1 (en) Dynamic host configuration and network access authentication
EP2713583A1 (en) Network address translation for application of subscriber-aware services
US9083705B2 (en) Identifying NATed devices for device-specific traffic flow steering
WO2009003409A1 (en) A method, system and equipment for network access
EP3108643B1 (en) Ipoe dual-stack subscriber for routed residential gateway configuration
JP2004266310A (en) Service and address management method in wlan interconnetion
WO2014015775A1 (en) Ipv6 address stateless auto-configuration system, data card, and implementation method thereof
CN110958272B (en) Identity authentication method, identity authentication system and related equipment
WO2017166936A1 (en) Method and device for implementing address management, and aaa server and sdn controller
WO2011140919A1 (en) Method, device, server and system for accessing service wholesale network
EP3108642B1 (en) Ipoe dual-stack subscriber for bridged residential gateway configuration
WO2011147343A1 (en) Method, device and system for address assignment in internet protocol (ip) networks
CN106131177B (en) Message processing method and device
KR101143898B1 (en) Method and apparatus for verification of dynamic host configuration protocol dhcp release message
US8615591B2 (en) Termination of a communication session between a client and a server
WO2012041168A1 (en) Processing method for network connection for ipv6 network and device thereof
WO2011140954A1 (en) Method and device for obtaining remote ip address
WO2015131327A1 (en) Ipv6 address assignment method and device
US8621198B2 (en) Simplified protocol for carrying authentication for network access
WO2010078809A1 (en) Method, gateway, server and system for obtaining ipv6 address information
JP2004320783A5 (en)
JP2008079059A (en) COMMUNICATION EQUIPMENT WHICH PROCESSES MULTIPLE SESSIONS OF IPsec, AND PROCESSING METHOD THEREOF
WO2013107055A1 (en) Method and apparatus for acquiring user information
JP2004207788A (en) Access control method, access controller, and access control system using the same

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 09823066

Country of ref document: EP

Kind code of ref document: A1

NENP Non-entry into the national phase

Ref country code: DE

WWE Wipo information: entry into national phase

Ref document number: 2009823066

Country of ref document: EP